Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maybe Backdoor.rustock.b? System32:lzx32.sys


  • Please log in to reply
13 replies to this topic

#1 bhall

bhall

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 23 January 2007 - 07:50 PM

I followed all of the directions before posting, here is my hijackthis log. I get the blue screen of death with the system32:lzx32.sys referenced when I do certain things i.e. whenever the computer comes out of hibernation and when I try to install the malware software that comes with the new IE. Please help!

Logfile of HijackThis v1.99.1
Scan saved at 7:30:51 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:29 PM

Posted 23 January 2007 - 10:21 PM

Please download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now. We will use it later after removing some of the malware entries on your log.

~~~~
Reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
You can also check: Delete Cookies
(You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

~~~~
Still in Safe Mode, launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Next, download ComboFix to the Desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

~~~~
Please provide the following:
The AVG AS report
The ComboFix.txt
A new HijackThis log

Old duck...


#3 bhall

bhall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 24 January 2007 - 12:01 PM

The blue screen came up again this time it said DRIVER_IRQL_NOT_LESS_OR_EQUAL, I dont know if that tells you anything.

Here is my AVG AS report
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:42:41 AM 1/24/2007

+ Scan result:



C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP43\A0008684.exe -> Hijacker.Costrat.z : Cleaned.
:mozilla.118:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.146:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.70:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.76:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.78:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.79:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.81:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.82:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.83:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.174:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.202:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.203:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.204:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.205:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.206:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.207:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.10:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.28:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.29:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.10:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.23:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.49:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.142:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.58:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.131:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.192:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.23:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\bsfkmzq5.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.172:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.91:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.11:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.26:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.9:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.101:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.102:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.103:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.34:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.35:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.98:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.87:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.164:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.165:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.127:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.128:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.159:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.160:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.161:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.20:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.21:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.23:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.24:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.24:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.25:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.26:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.28:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.78:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.79:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.80:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.11:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qxle1phb.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.36:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.99:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.116:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.29:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\bsfkmzq5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.30:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\bsfkmzq5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.31:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\bsfkmzq5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.106:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.107:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.108:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.109:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.155:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.156:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.157:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.137:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.138:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.158:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.159:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.86:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.31:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.62:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.63:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.64:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.65:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.66:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.67:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.68:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.186:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.187:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.188:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.189:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.190:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.154:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.161:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.162:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.41:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.42:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.43:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.44:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.45:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.46:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.47:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.48:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.131:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.17:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.21:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.19:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\bsfkmzq5.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.92:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.110:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.111:C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\gvii40fl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.100:C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\4t04mypz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP40\A0007529.sys -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP42\A0008660.sys -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP43\A0008710.sys -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP43\A0008722.sys -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP44\A0009750.sys -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0011831.sys -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0012888.sys -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0018896.exe -> Trojan.Small.bs : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0019897.exe -> Trojan.Small.bs : Cleaned.


::Report end

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is my ComboFix report

"Ben" - 07-01-24 11:49:57 Service Pack 2
ComboFix 07-01-24.2 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2006-12-24 to 2007-01-24 ))))))))))))))))))))))))))))))))))


2007-01-24 00:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-24 00:06 <DIR> d-------- C:\Program Files\Grisoft
2007-01-23 19:29 <DIR> d-------- C:\Program Files\HijackThis
2007-01-23 17:59 <DIR> d-------- C:\DOCUME~1\Ben\.housecall6.6
2007-01-23 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-21 22:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-21 22:33 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Lavasoft
2007-01-21 22:05 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Systweak
2007-01-21 21:37 <DIR> d-------- C:\DOCUME~1\Mike\Application Data\Prevx
2007-01-21 21:28 <DIR> d-------- C:\e306362c54a431cdd48fa229
2007-01-21 21:13 <DIR> d-------- C:\52ce0c079603a79ecabeca
2007-01-21 20:35 <DIR> d-------- C:\d421c2dc4d79eb2545a1d9a27e
2007-01-21 20:14 9,728 --a------ C:\WINDOWS\system32\drivers\pxscinst.dll
2007-01-21 20:14 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2007-01-21 20:14 7,552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2007-01-21 20:14 274,688 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2007-01-21 20:14 18,560 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2007-01-21 20:14 13,952 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2007-01-21 20:14 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-21 20:14 100,864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2007-01-21 20:14 <DIR> d-------- C:\Program Files\Prevx1
2007-01-21 20:14 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Prevx
2007-01-21 20:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Prevx
2007-01-21 19:15 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-01-21 19:15 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-01-21 19:15 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-01-21 19:15 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-01-21 19:14 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-01-21 19:09 <DIR> d-------- C:\b1a4e9ab4feefb92ea2a
2007-01-21 19:05 <DIR> d-------- C:\b5603c1c60bdfda25be4ff288fc0
2007-01-21 16:42 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-21 16:40 <DIR> d-------- C:\72532498a234deb8c029d7
2007-01-21 16:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-20 13:34 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Google
2007-01-07 15:14 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Corel
2006-12-27 23:05 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Apple Computer
2006-12-27 21:02 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-12-27 21:02 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-12-27 21:02 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-12-27 21:02 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-12-27 21:02 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-12-27 21:02 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-12-27 21:02 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-12-27 21:02 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-12-27 21:02 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-12-27 21:02 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-12-27 21:02 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-12-27 21:02 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-12-27 21:02 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-12-27 21:02 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-12-27 20:56 364,544 --a------ C:\WINDOWS\system32\cdg.dll
2006-12-27 20:56 348,160 --a------ C:\WINDOWS\system32\cdga.dll
2006-12-27 20:56 14,909 --a------ C:\WINDOWS\system32\A_reg.reg
2006-12-27 20:51 <DIR> d-------- C:\Program Files\Cucusoft
2006-12-27 20:51 <DIR> d-------- C:\ConverterOutput
2006-12-27 20:25 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\CyberLink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-01-24 11:51 -------- d-------- C:\Program Files\mozilla firefox
2007-01-21 19:24 -------- d-------- C:\Program Files\java
2007-01-21 19:14 -------- d-------- C:\Program Files\dell
2007-01-21 14:59 -------- d-------- C:\Program Files\apple software update
2007-01-20 13:35 -------- d-------- C:\Program Files\google
2007-01-07 15:14 61678 --a------ C:\DOCUME~1\Ben\Application Data\pfp120jpr.{pb
2007-01-07 15:14 12358 --a------ C:\DOCUME~1\Ben\Application Data\pfp120jcm.{pb
2007-01-01 17:54 -------- d-------- C:\Program Files\advanced system optimizer
2007-01-01 16:23 -------- d-------- C:\Program Files\sonic
2007-01-01 10:43 88 -r-hs---- C:\WINDOWS\system32\15186a8f57.sys
2007-01-01 10:43 4704 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ModemOnHold"="C:\\Program Files\\NetWaiting\\netWaiting.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 10.0"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
@=""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-24 11:52:06

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And here is my HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 11:53:31 AM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:29 PM

Posted 24 January 2007 - 09:36 PM

There is a RootKit involved: pe386
A RootKit is (in very basic terms) software intended to hide running processes, files or system data. It may modify parts of the operating system or install itself as a driver.

Please download RustBFix by ejvindh:
http://www.uploads.ejvindh.net/rustbfix.exe
Save it to the Desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you are asked to reboot the computer.
The reboot will probably take a while, and perhaps 2 reboots are needed, but this will happen automatically.

After the reboot(s) 2 log files open: Avenger.txt and a Pelog.txt
Please post both log files in your reply.

Old duck...


#5 bhall

bhall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 24 January 2007 - 10:41 PM

Here are the two log files. Thanks for all the help.


************************* Rustock.b-fix -- By ejvindh *************************
Wed 01/24/2007 22:32:48.79

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70570
Total size: 70570 bytes.
Attempting to remove ADS...
system32: deleted 70570 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ewmqqlvi

*******************

Script file located at: \??\C:\wwoilrkf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:29 PM

Posted 25 January 2007 - 09:53 AM

:thumbsup:

Please run ComboFix once again, and provide its report.

Old duck...


#7 bhall

bhall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 25 January 2007 - 11:22 AM

Combo Fix report:

"Ben" - 07-01-25 11:15:51 Service Pack 2
ComboFix 07-01-24.2 - Running from: "C:\Documents and Settings\Ben\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))


2007-01-24 22:37 <DIR> d-------- C:\avenger
2007-01-24 22:32 <DIR> d-------- C:\Rustbfix
2007-01-24 16:10 <DIR> d-------- C:\42e29a672b12e6ae7069bd
2007-01-24 00:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-24 00:06 <DIR> d-------- C:\Program Files\Grisoft
2007-01-23 19:29 <DIR> d-------- C:\Program Files\HijackThis
2007-01-23 17:59 <DIR> d-------- C:\DOCUME~1\Ben\.housecall6.6
2007-01-23 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-21 22:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-21 22:33 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Lavasoft
2007-01-21 22:05 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Systweak
2007-01-21 21:37 <DIR> d-------- C:\DOCUME~1\Mike\Application Data\Prevx
2007-01-21 21:28 <DIR> d-------- C:\e306362c54a431cdd48fa229
2007-01-21 21:13 <DIR> d-------- C:\52ce0c079603a79ecabeca
2007-01-21 20:35 <DIR> d-------- C:\d421c2dc4d79eb2545a1d9a27e
2007-01-21 20:14 9,728 --a------ C:\WINDOWS\system32\drivers\pxscinst.dll
2007-01-21 20:14 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2007-01-21 20:14 7,552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2007-01-21 20:14 274,688 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2007-01-21 20:14 18,560 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2007-01-21 20:14 13,952 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2007-01-21 20:14 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-21 20:14 100,864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2007-01-21 20:14 <DIR> d-------- C:\Program Files\Prevx1
2007-01-21 20:14 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Prevx
2007-01-21 20:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Prevx
2007-01-21 19:15 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-01-21 19:15 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-01-21 19:15 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-01-21 19:15 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-01-21 19:14 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-01-21 19:09 <DIR> d-------- C:\b1a4e9ab4feefb92ea2a
2007-01-21 19:05 <DIR> d-------- C:\b5603c1c60bdfda25be4ff288fc0
2007-01-21 16:42 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-21 16:40 <DIR> d-------- C:\72532498a234deb8c029d7
2007-01-21 16:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-20 13:34 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Google
2007-01-07 15:14 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Corel
2006-12-27 23:05 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Apple Computer
2006-12-27 21:02 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-12-27 21:02 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-12-27 21:02 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-12-27 21:02 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-12-27 21:02 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-12-27 21:02 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-12-27 21:02 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-12-27 21:02 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-12-27 21:02 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-12-27 21:02 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-12-27 21:02 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-12-27 21:02 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-12-27 21:02 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-12-27 21:02 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-12-27 20:56 364,544 --a------ C:\WINDOWS\system32\cdg.dll
2006-12-27 20:56 348,160 --a------ C:\WINDOWS\system32\cdga.dll
2006-12-27 20:56 14,909 --a------ C:\WINDOWS\system32\A_reg.reg
2006-12-27 20:51 <DIR> d-------- C:\Program Files\Cucusoft
2006-12-27 20:51 <DIR> d-------- C:\ConverterOutput
2006-12-27 20:25 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\CyberLink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-25 11:14 -------- d-------- C:\Program Files\mozilla firefox
2007-01-21 19:24 -------- d-------- C:\Program Files\java
2007-01-21 19:14 -------- d-------- C:\Program Files\dell
2007-01-21 14:59 -------- d-------- C:\Program Files\apple software update
2007-01-20 13:35 -------- d-------- C:\Program Files\google
2007-01-07 15:14 61678 --a------ C:\DOCUME~1\Ben\Application Data\pfp120jpr.{pb
2007-01-07 15:14 12358 --a------ C:\DOCUME~1\Ben\Application Data\pfp120jcm.{pb
2007-01-01 17:54 -------- d-------- C:\Program Files\advanced system optimizer
2007-01-01 16:23 -------- d-------- C:\Program Files\sonic
2007-01-01 10:43 88 -r-hs---- C:\WINDOWS\system32\15186a8f57.sys
2007-01-01 10:43 4704 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ModemOnHold"="C:\\Program Files\\NetWaiting\\netWaiting.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 10.0"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
@=""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-25 11:18:03
C:\ComboFix2.txt ... 07-01-24 11:52

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:29 PM

Posted 25 January 2007 - 10:15 PM

Please copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Run, type in: notepad):

C:\42e29a672b12e6ae7069bd
C:\e306362c54a431cdd48fa229
C:\52ce0c079603a79ecabeca
C:\d421c2dc4d79eb2545a1d9a27e
C:\b1a4e9ab4feefb92ea2a
C:\b5603c1c60bdfda25be4ff288fc0
C:\72532498a234deb8c029d7


Next, download Killbox:
http://www.downloads.subratam.org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Double-click on the red circle with white X to run it.

At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl+A) and Copy (Ctrl + C).

In KillBox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, restart it manually.

~~~~
There is not much found on the following files, and we need to find out if we need to get rid of them:

C:\WINDOWS\system32\DLPT64.sys
C:\WINDOWS\system32\GPCIEn64.sys
C:\WINDOWS\system32\GTKCMO64.sys
C:\WINDOWS\system32\DDMI64.sys
C:\WINDOWS\system32\cdg.dll
C:\WINDOWS\system32\cdga.dll
C:\WINDOWS\system32\A_reg.reg
C:\WINDOWS\system32\15186a8f57.sys

Please do a Jotti Malware Scan on them:
http://virusscan.jotti.org

In File to upload and scan, browse to each file, one at a time
Then, press: Submit
When the scan completes, copy the report, and post the results.

If Jotti's Malware scan is busy, you can also use this one

Virus Total:
http://www.virustotal.com/flash/index_en.html

You may need to enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

~~~~
Please provide the information from the scan of the files above, and a new ComboFix report.

Edited by Aaflac, 26 January 2007 - 09:43 AM.

Old duck...


#9 bhall

bhall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 26 January 2007 - 02:21 AM

Here are the results of the file scans and the combofix report. I could not do a scan on C:\Program Files\nccadmin\fwcla\[b]fwclntauth.exe because I could not find it, even after I unhid everything. Also there were no pendingfilerenameoperations prompts on the killbox scan.

File: DLPT64.sys
Status: OK
MD5 b6e310948904fd1a6d399851d55ce763
Packers detected: -
~~~~~~~~~~~~~~~~~~~~
File: GPCIEn64.sys
Status: OK
MD5 481e332b5b5e92114ee26ba603c5c25d
Packers detected: -
~~~~~~~~~~~~~~~~~~~~
File: GTKCMO64.sys
Status: OK
MD5 d2aa4415faf14d8521d58d0241f7d987
Packers detected: -
~~~~~~~~~~~~~~~~~~~~
File: DDMI64.sys
Status: OK
MD5 f00acae2683fb41d244249396018365d
Packers detected: -
~~~~~~~~~~~~~~~~~~~~
virusscan.jotti.org busy, began using virustotal
~~~~~~~~~~~~~~~~~~~~
Complete scanning result of "cdg.dll", received in VirusTotal at 01.26.2007, 08:02:58 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.26 01.25.2007 no virus found
Authentium 4.93.8 01.24.2007 no virus found
Avast 4.7.936.0 01.24.2007 no virus found
AVG 386 01.24.2007 no virus found
BitDefender 7.2 01.25.2007 no virus found
CAT-QuickHeal 9.00 01.25.2007 no virus found
ClamAV devel-20060426 01.25.2007 no virus found
DrWeb 4.33 01.25.2007 no virus found
eSafe 7.0.14.0 01.24.2007 no virus found
eTrust-InoculateIT 23.73.123 01.25.2007 no virus found
eTrust-Vet 30.3.3349 01.25.2007 no virus found
Ewido 4.0 01.24.2007 no virus found
Fortinet 2.85.0.0 01.24.2007 no virus found
F-Prot 4.2.1.29 01.25.2007 no virus found
Ikarus T3.1.0.27 01.25.2007 no virus found
Kaspersky 4.0.2.24 01.25.2007 no virus found
McAfee 4948 01.24.2007 no virus found
Microsoft 1.1904 01.25.2007 no virus found
NOD32v2 2005 01.25.2007 no virus found
Norman 5.80.02 01.25.2007 no virus found
Panda 9.0.0.4 01.25.2007 no virus found
Prevx1 V2 01.26.2007 no virus found
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.22.2007 no virus found
TheHacker 6.0.3.156 01.25.2007 no virus found
UNA 1.83 01.24.2007 no virus found
VBA32 3.11.2 01.24.2007 no virus found
VirusBuster 4.3.19:9 01.24.2007 no virus found

Aditional Information
File size: 364544 bytes
MD5: a594b98dc2aaf10e1bff2ae63948792d
SHA1: 2eb5cb138d1e7306a1efa0ec5f2a1e609213d4b5
~~~~~~~~~~~~~~~~~~~~
Complete scanning result of "cdga.dll", received in VirusTotal at 01.26.2007, 08:00:13 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.26 01.25.2007 no virus found
Authentium 4.93.8 01.24.2007 no virus found
Avast 4.7.936.0 01.24.2007 no virus found
AVG 386 01.24.2007 no virus found
BitDefender 7.2 01.25.2007 no virus found
CAT-QuickHeal 9.00 01.25.2007 no virus found
ClamAV devel-20060426 01.25.2007 no virus found
DrWeb 4.33 01.25.2007 no virus found
eSafe 7.0.14.0 01.24.2007 no virus found
eTrust-InoculateIT 23.73.123 01.25.2007 no virus found
eTrust-Vet 30.3.3349 01.25.2007 no virus found
Ewido 4.0 01.24.2007 no virus found
Fortinet 2.85.0.0 01.24.2007 no virus found
F-Prot 4.2.1.29 01.25.2007 no virus found
Ikarus T3.1.0.27 01.25.2007 no virus found
Kaspersky 4.0.2.24 01.25.2007 no virus found
McAfee 4948 01.24.2007 no virus found
Microsoft 1.1904 01.25.2007 no virus found
NOD32v2 2005 01.25.2007 no virus found
Norman 5.80.02 01.25.2007 no virus found
Panda 9.0.0.4 01.25.2007 no virus found
Prevx1 V2 01.26.2007 no virus found
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.22.2007 no virus found
TheHacker 6.0.3.156 01.25.2007 no virus found
UNA 1.83 01.24.2007 no virus found
VBA32 3.11.2 01.24.2007 no virus found
VirusBuster 4.3.19:9 01.24.2007 no virus found

Aditional Information
File size: 348160 bytes
MD5: 0df0edd158f7bcc058132db7f430740c
SHA1: e0fc66c1d4ddcd51bb0db79359150478f19bb505
~~~~~~~~~~~~~~~~~~~~~~
Complete scanning result of "A_reg.reg", received in VirusTotal at 01.26.2007, 08:05:10 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.26 01.25.2007 no virus found
Authentium 4.93.8 01.24.2007 no virus found
Avast 4.7.936.0 01.24.2007 no virus found
AVG 386 01.24.2007 no virus found
BitDefender 7.2 01.25.2007 no virus found
CAT-QuickHeal 9.00 01.25.2007 no virus found
ClamAV devel-20060426 01.25.2007 no virus found
DrWeb 4.33 01.25.2007 no virus found
eSafe 7.0.14.0 01.24.2007 no virus found
eTrust-InoculateIT 23.73.123 01.25.2007 no virus found
eTrust-Vet 30.3.3349 01.25.2007 no virus found
Ewido 4.0 01.24.2007 no virus found
Fortinet 2.85.0.0 01.24.2007 no virus found
F-Prot 4.2.1.29 01.25.2007 no virus found
Ikarus T3.1.0.27 01.25.2007 no virus found
Kaspersky 4.0.2.24 01.25.2007 no virus found
McAfee 4948 01.24.2007 no virus found
Microsoft 1.1904 01.25.2007 no virus found
NOD32v2 2005 01.25.2007 no virus found
Norman 5.80.02 01.25.2007 no virus found
Panda 9.0.0.4 01.25.2007 no virus found
Prevx1 V2 01.26.2007 no virus found
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.22.2007 no virus found
TheHacker 6.0.3.156 01.25.2007 no virus found
UNA 1.83 01.24.2007 no virus found
VBA32 3.11.2 01.24.2007 no virus found
VirusBuster 4.3.19:9 01.24.2007 no virus found

Aditional Information
File size: 14909 bytes
MD5: 2d49cd262d266f1f5175cf0fc745631a
SHA1: 1cce2ad0e7ffe64eace86e84fc705d25894d4bea
~~~~~~~~~~~~~~~~~~~~
Complete scanning result of "15186A8F57.sys", received in VirusTotal at 01.26.2007, 08:08:33 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.26 01.25.2007 no virus found
Authentium 4.93.8 01.24.2007 no virus found
Avast 4.7.936.0 01.24.2007 no virus found
AVG 386 01.24.2007 no virus found
BitDefender 7.2 01.25.2007 no virus found
CAT-QuickHeal 9.00 01.25.2007 no virus found
ClamAV devel-20060426 01.25.2007 no virus found
DrWeb 4.33 01.25.2007 no virus found
eSafe 7.0.14.0 01.24.2007 no virus found
eTrust-InoculateIT 23.73.123 01.25.2007 no virus found
eTrust-Vet 30.3.3349 01.25.2007 no virus found
Ewido 4.0 01.24.2007 no virus found
Fortinet 2.85.0.0 01.24.2007 no virus found
F-Prot 4.2.1.29 01.25.2007 no virus found
Ikarus T3.1.0.27 01.25.2007 no virus found
Kaspersky 4.0.2.24 01.25.2007 no virus found
McAfee 4948 01.24.2007 no virus found
Microsoft 1.1904 01.25.2007 no virus found
NOD32v2 2005 01.25.2007 no virus found
Norman 5.80.02 01.25.2007 no virus found
Panda 9.0.0.4 01.25.2007 no virus found
Prevx1 V2 01.26.2007 no virus found
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.22.2007 no virus found
TheHacker 6.0.3.156 01.25.2007 no virus found
UNA 1.83 01.24.2007 no virus found
VBA32 3.11.2 01.24.2007 no virus found
VirusBuster 4.3.19:9 01.24.2007 no virus found

Aditional Information
File size: 88 bytes
MD5: b0327b7e66274ff1b5617430d312a2b2
SHA1: 8a0df618a892600515f18e1d53ae7ebe0b4d283b
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Ben" - 07-01-26 2:13:35 Service Pack 2
ComboFix 07-01-24.2 - Running from: "C:\Documents and Settings\Ben\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 ))))))))))))))))))))))))))))))))))


2007-01-26 00:23 <DIR> d-------- C:\!KillBox
2007-01-25 17:18 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Adobe
2007-01-25 17:07 <DIR> d-------- C:\DOCUME~1\Donna\Application Data\Apple Computer
2007-01-25 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-25 16:53 <DIR> d-------- C:\DOCUME~1\Donna\Application Data\Google
2007-01-25 16:33 <DIR> d-------- C:\Program Files\iTunes
2007-01-25 16:33 <DIR> d-------- C:\Program Files\iPod
2007-01-25 16:32 <DIR> d-------- C:\Program Files\QuickTime
2007-01-25 16:10 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-25 16:10 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-25 16:08 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-25 16:07 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-24 22:37 <DIR> d-------- C:\avenger
2007-01-24 22:32 <DIR> d-------- C:\Rustbfix
2007-01-24 16:10 <DIR> d-------- C:\42e29a672b12e6ae7069bd
2007-01-24 00:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-24 00:06 <DIR> d-------- C:\Program Files\Grisoft
2007-01-23 19:29 <DIR> d-------- C:\Program Files\HijackThis
2007-01-23 17:59 <DIR> d-------- C:\DOCUME~1\Ben\.housecall6.6
2007-01-23 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-21 22:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-21 22:33 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Lavasoft
2007-01-21 22:05 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Systweak
2007-01-21 21:37 <DIR> d-------- C:\DOCUME~1\Mike\Application Data\Prevx
2007-01-21 21:28 <DIR> d-------- C:\e306362c54a431cdd48fa229
2007-01-21 21:13 <DIR> d-------- C:\52ce0c079603a79ecabeca
2007-01-21 20:35 <DIR> d-------- C:\d421c2dc4d79eb2545a1d9a27e
2007-01-21 20:14 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-21 19:15 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-01-21 19:15 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-01-21 19:15 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-01-21 19:15 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-01-21 19:14 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-01-21 19:09 <DIR> d-------- C:\b1a4e9ab4feefb92ea2a
2007-01-21 19:05 <DIR> d-------- C:\b5603c1c60bdfda25be4ff288fc0
2007-01-21 16:42 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-21 16:40 <DIR> d-------- C:\72532498a234deb8c029d7
2007-01-21 16:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-20 13:34 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Google
2007-01-07 15:14 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Corel
2006-12-27 23:05 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\Apple Computer
2006-12-27 21:02 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-12-27 21:02 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-12-27 21:02 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-12-27 21:02 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-12-27 21:02 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-12-27 21:02 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-12-27 21:02 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-12-27 21:02 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-12-27 21:02 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-12-27 21:02 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-12-27 21:02 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-12-27 21:02 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-12-27 21:02 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-12-27 21:02 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-12-27 21:02 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-12-27 21:02 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-12-27 20:56 364,544 --a------ C:\WINDOWS\system32\cdg.dll
2006-12-27 20:56 348,160 --a------ C:\WINDOWS\system32\cdga.dll
2006-12-27 20:56 14,909 --a------ C:\WINDOWS\system32\A_reg.reg
2006-12-27 20:51 <DIR> d-------- C:\Program Files\Cucusoft
2006-12-27 20:51 <DIR> d-------- C:\ConverterOutput
2006-12-27 20:25 <DIR> d-------- C:\DOCUME~1\Ben\Application Data\CyberLink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-26 01:59 -------- d-------- C:\Program Files\mozilla firefox
2007-01-25 19:56 4704 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-25 19:55 88 -r-hs---- C:\WINDOWS\system32\15186a8f57.sys
2007-01-21 19:24 -------- d-------- C:\Program Files\java
2007-01-21 19:14 -------- d-------- C:\Program Files\dell
2007-01-21 14:59 -------- d-------- C:\Program Files\apple software update
2007-01-20 13:35 -------- d-------- C:\Program Files\google
2007-01-07 15:14 61678 --a------ C:\DOCUME~1\Ben\Application Data\pfp120jpr.{pb
2007-01-07 15:14 12358 --a------ C:\DOCUME~1\Ben\Application Data\pfp120jcm.{pb
2007-01-01 17:54 -------- d-------- C:\Program Files\advanced system optimizer
2007-01-01 16:23 -------- d-------- C:\Program Files\sonic
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ModemOnHold"="C:\\Program Files\\NetWaiting\\netWaiting.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 10.0"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
@=""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-26 2:14:10
C:\ComboFix2.txt ... 07-01-26 01:48
C:\ComboFix3.txt ... 07-01-25 11:18

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:29 PM

Posted 27 January 2007 - 07:58 PM

Sorry about: C:\Program Files\nccadmin\fwcla\fwclntauth.exe
That was my mistake! I editied the previous post for the benefit anyone trying to use its info.

The files we attemted to remove earlier are still there. Is there more than one User account on this computer?

~~~~
Also, download F-Secure BlackLight Beta to the Desktop:
https://europe.f-secure.com/blacklight/try.shtml

Double-click blbeta.exe to run the program
Click : Scan > Next
A list of all items found is created
Please do not take any action to rename any of the items, if any are found!

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Provide the log created by BlackLight in your next reply.

Old duck...


#11 bhall

bhall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 28 January 2007 - 12:02 AM

There are multiple accounts (4) on this computer.

Here is the blacklight log.

01/27/07 23:53:22 [Info]: BlackLight Engine 1.0.55 initialized
01/27/07 23:53:22 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/27/07 23:53:23 [Note]: 7019 4
01/27/07 23:53:23 [Note]: 7005 0
01/27/07 23:53:28 [Note]: 7006 0
01/27/07 23:53:28 [Note]: 7011 2800
01/27/07 23:53:28 [Note]: 7026 0
01/27/07 23:53:28 [Note]: 7026 0
01/27/07 23:53:36 [Note]: FSRAW library version 1.7.1021
01/27/07 23:57:35 [Note]: 7007 0

Edited by bhall, 28 January 2007 - 12:05 AM.


#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:29 PM

Posted 28 January 2007 - 12:52 PM

There are multiple accounts (4) on this computer.


We need to have a HijackThis log from each of the Users. One of them could be carrying an infection which is not showing on the log you are presenting.

Please log in to each account, and post a HijackThis log for each User.

We may be able to spot the reason why these polynumerical files are not going away.

Old duck...


#13 bhall

bhall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 28 January 2007 - 04:31 PM

User 1: Ben

Logfile of HijackThis v1.99.1
Scan saved at 4:18:52 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User 2: Donna

Logfile of HijackThis v1.99.1
Scan saved at 4:21:39 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/products/acrobat/readermain.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User 3: Mike

Logfile of HijackThis v1.99.1
Scan saved at 4:23:02 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User 4: Sarah

Logfile of HijackThis v1.99.1
Scan saved at 4:24:01 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:29 PM

Posted 28 January 2007 - 10:12 PM

User #3 won the prize!!

Please log in to this account, and remain there for all that follows.

Please download SDFix and save it to the Desktop.

Right click the SDFix.zip folder
Select: Extract All to extract it to its own folder on the Desktop.

~~~~
Start the computer in Safe Mode :
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

~~~~
Then, do the following:

Download ComboFix to the Desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

~~~~
Next, download Dr.Web CureIt to the Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Double-click the drweb-cureit.exe file and allow the express scan to run
  • A short scan checks the files currently running in memory
  • If something is found, click the yes button when asked if you want to cure it.
  • Once the short scan has finished, Select Object for Scanning appears at the bottom.
  • Mark the drives to scan by clicking on each drive.
    (Select all drives. A red dot shows which drives have been chosen.)
  • Click the green arrow at the right, and the scan starts.
  • Click 'Yes to all' if asked to cure/move any files.
  • When the scan is finished, click the first icon to the left of Object: Posted Image
  • Then click the icon right below and select Move Incurable as you'll see in next image:
    Posted Image
    This moves a file to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
  • Next, in the Dr.Web CureIt menu on top, click File and choose Save report list
  • Save the report to the Desktop. The report is called DrWeb.csv
  • Close Dr.Web Cureit.
  • Now, restart the computer. (Files in use are moved/deleted during reboot.)
~~~~
Please post the contents of the SDFix Report.txt, the combofix.txt, the log from Dr.Web, and a new HijackThis log for this User.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users