Options

iesettingsupdate

Got a question, every time i start my computer, or re-start it, it opens up internet explorer and looks for iesettingsupdate, then upon not finding it it goes to some explorer page called foxy.net, which usually has links to pornographic material, my avg doesn't find it and i can't find it in my hard drive to erase it, so what can i do to get rid of it?
«1

Comments

  • edited March 2008
    Welcome to Icrontic davidjs1983,

    Let's take a look and see what all is loaded there.

    Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.

    Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners. You can use separate posts here when replying and posting the log files if needed.
  • edited March 2008
    Here is my Hijack This log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:00:46 PM, on 3/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\CAPM2RSK.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\SLWIN\slw.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsu15B2.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nszD.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
    O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [PC Adware-Spware Removal] C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{39856535-A635-44A5-8751-448B707D7CC0}: NameServer = 85.255.116.142,85.255.112.25
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B7A1A39-5F02-4F4D-AF38-AF65107D9D21}: NameServer = 85.255.116.142,85.255.112.25
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D1A7E67D-074A-4CFC-828F-200EFF4185E2}: NameServer = 85.255.116.142,85.255.112.25
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.25
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.25
    O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
    O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    --
    End of file - 10749 bytes
  • edited March 2008
    Here is my Silent Runners log

    "Silent Runners.vbs", revision 56, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
    "DellSupportCenter" = ""C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter" ["SupportSoft, Inc."]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
    "IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
    "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
    "DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
    "Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
    "Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
    "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
    "adstart" = ""iexplore.exe" "http://iesettingsupdate"" [MS]
    "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
    "dscactivate" = ""C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"" [null data]
    "Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
    "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
    "PC Adware-Spware Removal" = "C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick" [file not found]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {0B6899B6-1564-43e0-BD93-F7CF930A5E5C}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSL encrypt"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nsu15B2.dll" [file not found]
    {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "*Z" (unwritable string)
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    {746455FE-D059-47e7-AF0E-140E03F5A447}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSL encrypt"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nszD.dll" [file not found]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Helper"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
    \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]
    {CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "GoogleAFE"
    -> {HKLM...CLSID} = "CBrowserHelperObject Object"
    \InProcServer32\(Default) = "c:\Program Files\GoogleAFE\GoogleAE.dll" ["Google"]
    {E1B2E864-8BFC-4072-AE11-924E0F8BBA96}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "ComCap"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\comcap16.dll" [file not found]
    {EEC590D8-0A3C-4464-BB20-25A4747992F9}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AD Rotator"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\adrotate.dll" [file not found]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
    -> {HKLM...CLSID} = "VersionShellExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {HKLM...CLSID} = "AVG7 Find Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
    -> {HKLM...CLSID} = "Universal Plug and Play Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
    <<!>> "{bd0fc212-0a36-4232-83cc-2063fb9282e0}" = "curdler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\system32\qzviz.dll" [file not found]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
    -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
    \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
    HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    <<!>> "System" = "kdfpj.exe" [file not found]
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
    <<!>> intel3\DLLName = "intel3.dll" [file not found]
    <<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    Group Policies {GPedit.msc branch and setting}:
    Note: detected settings may not have any effect.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    "DisableTaskMgr" = (REG_SZ) 1
    {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
    Remove Task Manager}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
    "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}
    "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}
    "InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    {unrecognized setting}
    "InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
    {unrecognized setting}

    Active Desktop and Wallpaper:
    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"
    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"

    Enabled Screen Saver:
    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\system32\nature.scr" [MS]

    Startup items in "Community Motors" & "All Users" startup folders:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Canon iR1200-1300 Status Window" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE !N" ["CANON INC."]
    "Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
    "QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]

    Enabled Scheduled Tasks:
    "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

    Winsock2 Service Provider DLLs:
    Namespace Service Providers
    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    Transport Service Providers
    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

    Toolbars, Explorer Bars, Extensions:
    Toolbars
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    Explorer Bars
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Real.com"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
    Extensions (Tools menu items, main toolbar menu buttons)
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]
    {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\
    {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
    "ButtonText" = "Real.com"
    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

    Running Services (Display Name, Service Name, Path {Service DLL}):
    Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
    AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
    EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
    Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
    Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
    Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
    NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
    RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
    Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
    SupportSoft Sprocket Service (dellsupportcenter), sprtsvc_dellsupportcenter, "C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter" ["SupportSoft, Inc."]
    Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
    WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]

    Print Monitors:
    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    CAPM2 Monitor\Driver = "CAPM2LMK.DLL" ["CANON INC."]
    Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
    PostScript Port\Driver = "postscriptmon.dll" [null data]

    (launch time: 2008-03-15 13:02:31)
    <<!>>: Suspicious data at a malware launch point.
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    (total run time: 64 seconds, including 11 seconds for message boxes)
  • edited March 2008
    The last log looks all bunched up and hard to review - instead of trying to jam them all in feel free to break them into parts when posting.

    A fairly serious bit of infection there, and possibly an info stealer as well. You should change any security\login information, using a different computer, and either contact or closely monitor any banking/credit accounts ever accessed on this system. A good precaution at this point.


    Open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text.
    [Version]
    Signature="$CHICAGO$"
    
    [DefaultInstall]
    DelReg=Del.Settings
    
    [Del.Settings]
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System","NoFolderOptions"
    HKCU,"Software\Policies\Microsoft\Internet Explorer\Control Panel","Homepage"
    HKLM,"Software\Policies\Microsoft\Windows NT\SystemRestore","DisableConfig"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoFolderOptions"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer',"NoFolderOptions"
    

    Save this as correct2.inf

    Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct2.inf and select Install. This will allow Task Manager access and undo some other known infection tricks.


    Then download FixWareout from here

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet). Note: You must must be online to run this utility

    Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.

    Once your desktop loads, notepad will open a report.txt file. Close this, and allow the reboot to complete. On reboot you will also get notified about possible difficulties making a connection after the fix is run. If you do have net access difficulties double click the registry file dnsbak.reg located in the Fixwareout folder on the root of the drive windows is installed (normally c:\ as suggested).

    Once your desktop loads, please post the contents of the logfile C:\fixwareout\report.txt along with a new HijackThis log. Also a new Silent Runners log. We will address the popups likely still occurring there in the next steps, after a review of your progress.
  • edited March 2008
    When i tried your link to download FixWareout, i got a 404 error page not found message, if you could find it for me and re-post or put in the url I could copy and paste it. Thanks.
  • edited March 2008
    I'll have to ask what happened to that download - use this link instead if you would.
  • edited March 2008
    Okay here is the fixwareout report

    Username "Community Motors" - 03/17/2008 12:52:16 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check
    HKLM\SOFTWARE\~\Winlogon\ "System"="kdfpj.exe"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "nameserver"="85.255.116.142 85.255.112.25" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{39856535-A635-44A5-8751-448B707D7CC0}
    "nameserver"="85.255.116.142,85.255.112.25" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7B7A1A39-5F02-4F4D-AF38-AF65107D9D21}
    "nameserver"="85.255.116.142,85.255.112.25" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D1A7E67D-074A-4CFC-828F-200EFF4185E2}
    "nameserver"="85.255.116.142,85.255.112.25" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{29B39846-0902-49E5-B96A-2F1FC54E9A72}
    "DhcpNameServer"="85.255.116.142,85.255.112.25" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D1A7E67D-074A-4CFC-828F-200EFF4185E2}
    "DhcpNameServer"="85.255.116.142,85.255.112.25" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    ....
    ~~~~~ Misc files.
    ....
    ~~~~~ Checking for older varients.
    ....


    C:\Program Files\SpywareLocked 3.3 < Found
    C:\Program Files\Video ActiveX Object < Found
    Additional tools are recommended.

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
    "IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
    "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
    "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
    "Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
    "ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
    "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
    "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "adstart"="\"iexplore.exe\" \"http://iesettingsupdate\"&quot;
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
    "dscactivate"="\"C:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe\""
    "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""
    "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
    "PC Adware-Spware Removal"="C:\\Program Files\\PC Adware-Spyware Removal\\PCAdwareSpywareRemoval.exe /quick"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
    "DellSupportCenter"="\"C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe\" /P DellSupportCenter"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~
  • edited March 2008
    Now the Hijackthis;

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:59:31 PM, on 3/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\CAPM2RSK.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Dell Support Center\gs_agent\dsc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\update\update.exe



    --
    End of file - 10441 bytes
  • edited March 2008
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsu15B2.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nszD.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
    O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate&quot;
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [PC Adware-Spware Removal] C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
    O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
    O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • edited March 2008
    And finally the Silent Runners Log;

    "Silent Runners.vbs", revision 56, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
    "DellSupportCenter" = ""C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter" ["SupportSoft, Inc."]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
    "IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
    "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
    "DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
    "Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
    "Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
    "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
    "adstart" = ""iexplore.exe" "http://iesettingsupdate"&quot; [MS]
    "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
    "dscactivate" = ""C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"" [null data]
    "Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
    "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
    "PC Adware-Spware Removal" = "C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick" [file not found]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {0B6899B6-1564-43e0-BD93-F7CF930A5E5C}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSL encrypt"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nsu15B2.dll" [file not found]
    {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "*Z" (unwritable string)
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    {746455FE-D059-47e7-AF0E-140E03F5A447}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSL encrypt"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nszD.dll" [file not found]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Helper"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
    \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll" ["Google Inc."]
    {CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "GoogleAFE"
    -> {HKLM...CLSID} = "CBrowserHelperObject Object"
    \InProcServer32\(Default) = "c:\Program Files\GoogleAFE\GoogleAE.dll" ["Google"]
    {E1B2E864-8BFC-4072-AE11-924E0F8BBA96}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "ComCap"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\comcap16.dll" [file not found]
    {EEC590D8-0A3C-4464-BB20-25A4747992F9}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AD Rotator"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\adrotate.dll" [file not found]
  • edited March 2008
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
    -> {HKLM...CLSID} = "VersionShellExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {HKLM...CLSID} = "AVG7 Find Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
    -> {HKLM...CLSID} = "Universal Plug and Play Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
    <<!>> "{bd0fc212-0a36-4232-83cc-2063fb9282e0}" = "curdler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\system32\qzviz.dll" [file not found]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
    -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
    \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
    <<!>> intel3\DLLName = "intel3.dll" [file not found]
    <<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]

    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
  • edited March 2008
    Group Policies {GPedit.msc branch and setting}:

    Note: detected settings may not have any effect.

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}

    "InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    {unrecognized setting}

    "InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
    {unrecognized setting}


    Active Desktop and Wallpaper:

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"


    Enabled Screen Saver:

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\system32\nature.scr" [MS]


    Startup items in "Community Motors" & "All Users" startup folders:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Canon iR1200-1300 Status Window" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE !N" ["CANON INC."]
    "Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
    "QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]


    Enabled Scheduled Tasks:

    "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    Explorer Bars

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Real.com"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

    {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

    {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
    "ButtonText" = "Real.com"

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):

    Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
    AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
    EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
    Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
    Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
    Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
    NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
    RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
    Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
    SupportSoft Sprocket Service (dellsupportcenter), sprtsvc_dellsupportcenter, "C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter" ["SupportSoft, Inc."]
    Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
    WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


    Print Monitors:

    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    CAPM2 Monitor\Driver = "CAPM2LMK.DLL" ["CANON INC."]
    Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
    PostScript Port\Driver = "postscriptmon.dll" [null data]


    (launch time: 2008-03-17 13:00:17)
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    (total run time: 44 seconds, including 13 seconds for message boxes)
  • edited March 2008
    Good work - that will stop your DNS lookups (every time you enter a name in your browser's address bar it then goes to a DNS server basically to locate it on the web) from going to the Ukraine instead of where they should. Now let's get on the rest of the repairs.


    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

    Download ComboFix.exe from here to your desktop.

    Then disable your net access, and click the downloaded file to run the repair.

    When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

    ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.


    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.

    (ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

    Re-enable net access, and post back the C:\ComboFix.txt log as well as a new HijackThis log please.
  • edited March 2008
    Here is the combofix log;

    ComboFix 08-03-17.1 - Community Motors 2008-03-18 9:01:42.1 - NTFSx86
    Running from: C:\Documents and Settings\Community Motors\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\#SharedObjects\FJH3ZYNE\www.broadcaster.com
    C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\#SharedObjects\FJH3ZYNE\www.broadcaster.com\played_list.sol
    C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\#SharedObjects\FJH3ZYNE\www.broadcaster.com\video_queue.sol
    C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    C:\Program Files\Common Files\{18C34~1
    C:\Program Files\inetget2
    C:\Program Files\video activex object
    C:\Program Files\video activex object\ot.ico
    C:\Program Files\video activex object\ts.ico
    C:\WINDOWS\setup.exe
    C:\WINDOWS\system32\adrot-uninst.exe
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\system32\uninsticn.exe
    C:\WINDOWS\wr.txt

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
    .

    2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
    C:\WINDOWS\system32\dllcache\regedit.exe
    2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
    C:\WINDOWS\regedit.exe
    2008-03-18 08:09 . 2008-03-18 08:09 <DIR> d
    C:\ComboFix(2)
    2008-03-17 12:51 . 2008-03-17 12:57 <DIR> d
    C:\fixwareout
    2008-03-15 13:18 . 2008-03-15 13:18 1,158 --a
    C:\WINDOWS\mozver.dat
    2008-03-15 13:16 . 2008-03-15 13:16 <DIR> d
    C:\Documents and Settings\Community Motors\Application Data\Talkback
    2008-03-15 13:16 . 2008-03-15 13:16 0 --a
    C:\WINDOWS\nsreg.dat
    2008-03-12 12:21 . 2008-02-22 02:33 69,632 --a
    C:\WINDOWS\system32\javacpl.cpl
    2008-03-12 11:36 . 2008-03-15 14:04 <DIR> d
    C:\Documents and Settings\Community Motors\.SunDownloadManager
    2008-03-07 15:30 . 2002-08-16 13:43 299,008 --a
    C:\WINDOWS\system32\PSPrinter.exe
    2008-03-07 15:30 . 2002-08-16 13:43 204,800 --a
    C:\WINDOWS\Uninstall.exe
    2008-03-07 15:30 . 2002-08-16 13:39 196,608 --a
    C:\WINDOWS\InstallPostScriptPort.exe
    2008-03-07 15:30 . 2002-06-05 15:12 22,528 --a
    C:\WINDOWS\system32\postscriptmon.dll
    2008-03-07 15:30 . 2002-05-15 13:42 9,216 --a
    C:\WINDOWS\system32\ddklocalui.dll
    2008-03-07 15:30 . 2008-03-07 15:30 38 --a
    C:\WINDOWS\system32\EDRPDriver.ini
    2008-03-07 15:21 . 2008-03-07 15:28 20,761 --a
    C:\WINDOWS\system32\PSPORT
    2008-03-07 09:19 . 2008-03-07 09:19 <DIR> d
    C:\Documents and Settings\Community Motors\Application Data\CyberLink
    2008-03-04 11:06 . 2008-03-15 14:09 <DIR> d
    C:\PrintImages

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-18 00:05
    d
    w C:\Documents and Settings\All Users\Application Data\avg7
    2008-03-15 18:59
    d
    w C:\Program Files\Trend Micro
    2008-03-12 18:21
    d
    w C:\Program Files\Java
    2008-03-11 21:41
    d
    w C:\Documents and Settings\Community Motors\Application Data\AVG7
    2008-03-07 21:30
    d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-28 13:49
    d
    w C:\Documents and Settings\All Users\Application Data\Dell
    2008-02-22 18:02 6,360 ----a-w C:\Documents and Settings\Community Motors\Application Data\wklnhst.dat
    2008-02-14 16:06
    d
    w C:\Program Files\RGB
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-12-18 09:51 179,584
    w C:\WINDOWS\system32\dllcache\mrxdav.sys
    2006-06-05 02:44 65,408 ----a-w C:\Documents and Settings\Community Motors\Application Data\GDIPFONTCACHEV1.DAT
    2007-02-21 16:59 56 --sh--r C:\WINDOWS\system32\0816B84B95.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B6899B6-1564-43e0-BD93-F7CF930A5E5C}]
    C:\WINDOWS\system32\nsu15B2.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{746455FE-D059-47e7-AF0E-140E03F5A447}]
    C:\WINDOWS\system32\nszD.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B2E864-8BFC-4072-AE11-924E0F8BBA96}]
    C:\WINDOWS\system32\comcap16.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC590D8-0A3C-4464-BB20-25A4747992F9}]
    C:\WINDOWS\system32\adrotate.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 07:51 68856]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-18 22:34 26112]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-18 22:34 98304]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24 684032]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 09:19 579072]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
    "PC Adware-Spware Removal"="C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 09:03 219136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Canon iR1200-1300 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE [2002-07-11 11:00:00 30720]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-18 22:31:01 24576]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{bd0fc212-0a36-4232-83cc-2063fb9282e0}"= C:\WINDOWS\system32\qzviz.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intel3]
    intel3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\SLWIN\\Slw.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Documents and Settings\\Community Motors\\My Documents\\Downloaded Program Updates\\Update Manager\\utorrent.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
  • edited March 2008
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
    S1 intel5;INTEL processor extention;C:\WINDOWS\system32\intel5.sys []
    S2 RapidPortM2;RapidPortM2;C:\WINDOWS\system32\Drivers\CAPM2LP.SYS [2002-07-11 11:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-18 14:01:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-18 09:05:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-03-18 9:06:20
    ComboFix-quarantined-files.txt 2008-03-18 15:06:05
    .
    2008-03-17 22:05:38 --- E O F ---
  • edited March 2008
    And here is the Hijackthis Log;

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:13:47 AM, on 3/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\CAPM2RSK.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Mozilla Firefox\firefox.exe
    C:\SLWIN\slw.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsu15B2.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nszD.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
    O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [PC Adware-Spware Removal] C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
    O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
    O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 10193 bytes
  • edited March 2008
    That removed some, and showed more we can address now.


    Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


    Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\system32\nsu15B2.dll
    C:\WINDOWS\system32\nszD.dll
    C:\WINDOWS\system32\comcap16.dll
    C:\WINDOWS\system32\adrotate.dll
    C:\WINDOWS\system32\intel3.dll
    Folder::
    C:\Program Files\PC Adware-Spyware Removal
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B6899B6-1564-43e0-BD93-F7CF930A5E5C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{746455FE-D059-47e7-AF0E-140E03F5A447}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B2E864-8BFC-4072-AE11-924E0F8BBA96}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC590D8-0A3C-4464-BB20-25A4747992F9}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC Adware-Spware Removal"=-
    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
    "{bd0fc212-0a36-4232-83cc-2063fb9282e0}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intel3]
    

    Save this to your desktop as "CFScript"

    (include the "quotation marks" with the name)


    You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.

    ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.



    Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

    To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

    To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

    Post back that log along with the ComboFix.txt and a new HijackThis log please.
  • edited March 2008
    Here is the combofix log, and by the way thanks so much for helping me out.:

    ComboFix 08-03-17.1 - Community Motors 2008-03-18 14:52:18.2 - NTFSx86
    Running from: C:\Documents and Settings\Community Motors\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Community Motors\Desktop\CFScript
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\adrotate.dll
    C:\WINDOWS\system32\comcap16.dll
    C:\WINDOWS\system32\intel3.dll
    C:\WINDOWS\system32\nsu15B2.dll
    C:\WINDOWS\system32\nszD.dll
    .

    ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
    .

    2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
    C:\WINDOWS\system32\dllcache\regedit.exe
    2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
    C:\WINDOWS\regedit.exe
    2008-03-18 08:09 . 2008-03-18 08:09 <DIR> d
    C:\ComboFix(2)
    2008-03-17 12:51 . 2008-03-17 12:57 <DIR> d
    C:\fixwareout
    2008-03-15 13:18 . 2008-03-15 13:18 1,158 --a
    C:\WINDOWS\mozver.dat
    2008-03-15 13:16 . 2008-03-15 13:16 <DIR> d
    C:\Documents and Settings\Community Motors\Application Data\Talkback
    2008-03-15 13:16 . 2008-03-15 13:16 0 --a
    C:\WINDOWS\nsreg.dat
    2008-03-12 12:21 . 2008-02-22 02:33 69,632 --a
    C:\WINDOWS\system32\javacpl.cpl
    2008-03-12 11:36 . 2008-03-15 14:04 <DIR> d
    C:\Documents and Settings\Community Motors\.SunDownloadManager
    2008-03-07 15:30 . 2002-08-16 13:43 299,008 --a
    C:\WINDOWS\system32\PSPrinter.exe
    2008-03-07 15:30 . 2002-08-16 13:43 204,800 --a
    C:\WINDOWS\Uninstall.exe
    2008-03-07 15:30 . 2002-08-16 13:39 196,608 --a
    C:\WINDOWS\InstallPostScriptPort.exe
    2008-03-07 15:30 . 2002-06-05 15:12 22,528 --a
    C:\WINDOWS\system32\postscriptmon.dll
    2008-03-07 15:30 . 2002-05-15 13:42 9,216 --a
    C:\WINDOWS\system32\ddklocalui.dll
    2008-03-07 15:30 . 2008-03-07 15:30 38 --a
    C:\WINDOWS\system32\EDRPDriver.ini
    2008-03-07 15:21 . 2008-03-07 15:28 20,761 --a
    C:\WINDOWS\system32\PSPORT
    2008-03-07 09:19 . 2008-03-07 09:19 <DIR> d
    C:\Documents and Settings\Community Motors\Application Data\CyberLink
    2008-03-04 11:06 . 2008-03-15 14:09 <DIR> d
    C:\PrintImages

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-18 00:05
    d
    w C:\Documents and Settings\All Users\Application Data\avg7
    2008-03-15 18:59
    d
    w C:\Program Files\Trend Micro
    2008-03-12 18:21
    d
    w C:\Program Files\Java
    2008-03-11 21:41
    d
    w C:\Documents and Settings\Community Motors\Application Data\AVG7
    2008-03-07 21:30
    d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-28 13:49
    d
    w C:\Documents and Settings\All Users\Application Data\Dell
    2008-02-22 18:02 6,360 ----a-w C:\Documents and Settings\Community Motors\Application Data\wklnhst.dat
    2008-02-14 16:06
    d
    w C:\Program Files\RGB
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-12-18 09:51 179,584
    w C:\WINDOWS\system32\dllcache\mrxdav.sys
    2006-06-05 02:44 65,408 ----a-w C:\Documents and Settings\Community Motors\Application Data\GDIPFONTCACHEV1.DAT
    2007-02-21 16:59 56 --sh--r C:\WINDOWS\system32\0816B84B95.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 07:51 68856]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-18 22:34 26112]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-18 22:34 98304]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24 684032]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 09:19 579072]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
  • edited March 2008
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 09:03 219136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Canon iR1200-1300 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE [2002-07-11 11:00:00 30720]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-18 22:31:01 24576]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{bd0fc212-0a36-4232-83cc-2063fb9282e0}"= C:\WINDOWS\system32\qzviz.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\SLWIN\\Slw.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Documents and Settings\\Community Motors\\My Documents\\Downloaded Program Updates\\Update Manager\\utorrent.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
    S1 intel5;INTEL processor extention;C:\WINDOWS\system32\intel5.sys []
    S2 RapidPortM2;RapidPortM2;C:\WINDOWS\system32\Drivers\CAPM2LP.SYS [2002-07-11 11:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-18 15:13:32 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-18 14:56:19
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-03-18 14:57:21
    ComboFix-quarantined-files.txt 2008-03-18 20:57:04
    ComboFix2.txt 2008-03-18 15:06:21
    .
    2008-03-17 22:05:38 --- E O F ---
  • edited March 2008
    Here is the Hijackthis log;

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:38:08 PM, on 3/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\CAPM2RSK.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\SLWIN\slw.exe
    C:\PROGRA~1\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
    O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 9679 bytes


    It'll be a few minutes befor the Kaspersky log will be done then i'll post it.
  • edited March 2008
    Here is the Kasperky Log;

    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, March 18, 2008 4:37:11 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 18/03/2008
    Kaspersky Anti-Virus database records: 638211

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 66500
    Number of viruses found: 2
    Number of infected objects: 4
    Number of suspicious objects: 0
    Duration of the scan process: 01:15:00

    Infected Object Name / Virus Name / Last Action
    C:\46.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
    C:\46.tmp NSIS: infected - 1 skipped
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04122007-074417.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\history.dat Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\key3.db Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Community Motors\Application Data\Sun\Java\Deployment\cache\6.0\53\33cb4475-5c57a95c Infected: Exploit.Java.Gimsh.a skipped
    C:\Documents and Settings\Community Motors\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-2275b795-15252dad.class Infected: Exploit.Java.Gimsh.a skipped
    C:\Documents and Settings\Community Motors\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9DFCB30C-8B46-41BC-956A-6D994CA30092} Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Application Data\SupportSoft\DellSupportCenter\Community Motors\state\logs\sprtcmd.log Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15AF.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15B0.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15B3.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15BE.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT79C.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\~DF2953.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\~DFE4BC.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temp\~DFE4C8.tmp Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Community Motors\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Community Motors\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Community Motors\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
  • edited March 2008
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP503\change.log Object is locked skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt Object is locked skipped
    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B31D31D9-1965-4463-9E0F-975B281148A4}.crmlog Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
  • edited March 2008
    I left in a forum line break on one of the corrections, so we'll need to grab that one now, but looking good so far. Kaspersky located it's usual normally locked system functions and a few items of infection you need to remove. Then for this type of malware one additional on-hand scan there to clear out remnants would be best as well.


    Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

    Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.

    C:\46.tmp


    Then Go to Start > Settings > Control Panel > Java and Under the General tab, click Delete Files. That will empty it's cached items.



    Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

    O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)


    Then Go here and download the free version of SUPERAntiSpyware and install it.

    After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

    Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

    Start-up Options:
    *Start SUPERAntiSpyware when Windows starts

    Automatic Updates:
    *Check for program updates when the application starts.
    Start-up Scanning:
    *Check for updates before scanning on startup.

    Then select Close. Don't scan just yet though.


    Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

    If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

    ===============================================


    Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


    Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


    SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

    Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.


    Run a new HijackThis scan, and post that back here along with the SUPERAntiSpyware log please.
  • edited March 2008
    K, here is the Hijackthis;

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:10:13 AM, on 3/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\CAPM2RSK.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.mmohsix.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 9369 bytes
  • edited March 2008
    And the Supersntispyware scan;

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/19/2008 at 09:58 AM

    Application Version : 4.0.1154

    Core Rules Database Version : 3421
    Trace Rules Database Version: 1413

    Scan type : Complete Scan
    Total Scan Time : 00:51:32

    Memory items scanned : 194
    Memory threats detected : 0
    Registry items scanned : 5577
    Registry threats detected : 235
    File items scanned : 14500
    File threats detected : 20

    Browser Hijacker.Internet Explorer Zone Hijack
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#http
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#http
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#http
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#http
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#https
    HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net
    HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net#*

    Trojan.RieMon
    C:\WINDOWS\SYSTEM32\IRSSYNCD.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\irssyncd
    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\irssyncd#Path
    HKCR\Iman.RieMon
    HKCR\Iman.RieMon\CLSID
    HKCR\Iman.RieMon\CurVer
    HKCR\Iman.RieMon.1
    HKCR\Iman.RieMon.1\CLSID
    HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\SOFTWARE\Irismon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IRISm
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IRISm#Path
    HKLM\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\irssyncd.exe

    Trojan.Downloader-Gen
    C:\WINDOWS\SYSTEM32\ITALFDS.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ItalU
    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ItalU#Path

    Unclassified.Unknown Origin/System
    C:\WINDOWS\SYSTEM32\TDOPUENB.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\TDPer.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\TDPer.exe#Path

    Adware.MovieLand/MediaPipe
    HKCR\AppId\AMNotifier.EXE
    HKCR\AppId\AMNotifier.EXE#AppID
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR

    Adware.Ezula
    HKLM\SOFTWARE\Microsoft\Direct2D
    HKLM\SOFTWARE\Microsoft\Direct2D#affilate_id
    HKLM\SOFTWARE\Microsoft\Direct2D#request_queue
    HKLM\SOFTWARE\Microsoft\Direct2D#version
    HKLM\SOFTWARE\Microsoft\Direct2D#installation_id
    HKLM\SOFTWARE\Microsoft\Direct2D#user_id
    HKLM\SOFTWARE\Microsoft\Direct2D#db_number
    HKLM\SOFTWARE\Microsoft\Direct2D#date
    HKLM\SOFTWARE\Microsoft\Direct2D#popup_delay
    HKLM\SOFTWARE\Microsoft\Direct2D#refresh_time
    HKLM\SOFTWARE\Microsoft\Direct2D#related_pop_type
    HKLM\SOFTWARE\Microsoft\Direct2D#ezula_maxdup
    HKLM\SOFTWARE\Microsoft\Direct2D#rand_context_distortion
    HKLM\SOFTWARE\Microsoft\Direct2D#navigation_error
    HKLM\SOFTWARE\Microsoft\Direct2D#popup_time_distortion
    HKLM\SOFTWARE\Microsoft\Direct2D#ezula_maxhilight
    HKLM\SOFTWARE\Microsoft\Direct2D#rand_contextual_pop_type
    HKLM\SOFTWARE\Microsoft\Direct2D#popup_ctx_delay
    HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_delay
    HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_distortion
    HKLM\SOFTWARE\Microsoft\Direct2D#ezula_enabled
    HKLM\SOFTWARE\Microsoft\Direct2D#random_contextual_enabled
    HKLM\SOFTWARE\Microsoft\Direct2D#program_push_enabled
    HKLM\SOFTWARE\Microsoft\Direct2D#icon_drop_enabled
    HKLM\SOFTWARE\Microsoft\Direct2D#related_popups_enabled
    HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_enabled
    HKLM\SOFTWARE\Microsoft\Direct2D#update_url
    HKLM\SOFTWARE\Microsoft\Direct2D#internal_affiliate_id
    HKLM\SOFTWARE\Microsoft\Direct2D#country_id
    HKLM\SOFTWARE\Microsoft\Direct2D#install_timestamp
    HKLM\SOFTWARE\Microsoft\Direct2D#last_refresh_time
    HKLM\SOFTWARE\Microsoft\Direct2D#ezula_deniedsites
    HKLM\SOFTWARE\Microsoft\Direct2D#nav_error_content
    HKLM\SOFTWARE\Microsoft\Direct2D#ezula_dictionary
    HKLM\SOFTWARE\Microsoft\Direct2D#last_ezulasync
    HKLM\SOFTWARE\Microsoft\Direct2D#ctx_popup_db
    HKLM\SOFTWARE\Microsoft\Direct2D#related_sites
    HKLM\SOFTWARE\Microsoft\Direct2D#ctx_popup_shown
    HKLM\SOFTWARE\Microsoft\Direct2D#next_ctx_popup_time
    HKLM\SOFTWARE\Microsoft\Direct2D#related_popup_appendix
    HKLM\SOFTWARE\Microsoft\Direct2D#next_related_time
    HKLM\SOFTWARE\Microsoft\Direct2D#random_context_blacklist
    HKLM\SOFTWARE\Microsoft\Direct2D#last_push_time
    HKLM\SOFTWARE\Microsoft\Direct2D#pushed_already
    HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_db
    HKLM\SOFTWARE\Microsoft\Direct2D#next_fixed_ctx_popup_time

    Adware.MediaMotor
    HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}
    HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1
    HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\0
    HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\0\win32
    HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\FLAGS
    HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\HELPDIR
    HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}
    HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\Forward
    HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid
    HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid32
    HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}
    HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\Forward
    HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid
    HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid32
    HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}
    HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\ProxyStubClsid
    HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\ProxyStubClsid32
    HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\TypeLib
    HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\TypeLib#Version

    Adware.Toolbar888
    HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}

    Trojan.Security Toolbar
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
    C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

    Trojan.Malware
    HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}
    HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\ProxyStubClsid
    HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\ProxyStubClsid32
    HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\TypeLib
    HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\TypeLib#Version
  • edited March 2008
    Adware.BitLocker
    HKCR\Da.Bomb
    HKCR\Da.Bomb\CLSID
    HKCR\Da.Bomb\CurVer
    HKCR\Da.Bomb.1
    HKCR\Da.Bomb.1\CLSID
    HKCR\ONONE.Theimp
    HKCR\ONONE.Theimp\CLSID
    HKCR\ONONE.Theimp\CurVer
    HKCR\ONONE.Theimp.1
    HKCR\ONONE.Theimp.1\CLSID
    HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}
    HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\InprocServer32
    HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\InprocServer32#ThreadingModel
    HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\ProgID
    HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\Programmable
    HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\TypeLib
    HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\VersionIndependentProgID
    HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}
    HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0
    HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\0
    HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\0\win32
    HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\FLAGS
    HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\HELPDIR
    HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}
    HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\ProxyStubClsid
    HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\ProxyStubClsid32
    HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\TypeLib
    HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\TypeLib#Version
    HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}
    HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\ProxyStubClsid
    HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\ProxyStubClsid32
    HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\TypeLib
    HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\TypeLib#Version

    Adware.AdRotator
    HKCR\OddBot.AdClicker
    HKCR\OddBot.AdClicker\CLSID
    HKCR\OddBot.AdClicker\CurVer
    HKCR\OddBot.AdClicker.1
    HKCR\OddBot.AdClicker.1\CLSID
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#NoModify
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#NoRepair
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#DisplayVersion
    HKLM\SOFTWARE\NodeIpProc
    HKLM\SOFTWARE\NodeIpProc#Vendor

    Trojan.Media-Codec
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString

    Adware.eZula/BannerRotator
    HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}
    HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\ProxyStubClsid
    HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\ProxyStubClsid32
    HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\TypeLib
    HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\TypeLib#Version
    HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}
    HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\ProxyStubClsid
    HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\ProxyStubClsid32
    HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\TypeLib
    HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\TypeLib#Version

    Adware.AdRotate/System
    HKCR\Crypt.Core
    HKCR\Crypt.Core\CLSID
    HKCR\Crypt.Core\CurVer
    HKCR\Crypt.Core.1
    HKCR\Crypt.Core.1\CLSID
    HKCR\ADRotator.Rotator
    HKCR\ADRotator.Rotator\CLSID
    HKCR\ADRotator.Rotator\CurVer
    HKCR\ADRotator.Rotator.1
    HKCR\ADRotator.Rotator.1\CLSID
    HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}
    HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\InprocServer32
    HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\InprocServer32#ThreadingModel
    HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\ProgID
    HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\Programmable
    HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\TypeLib
    HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\VersionIndependentProgID
    HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}
    HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0
    HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\0
    HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\0\win32
    HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\FLAGS
    HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\HELPDIR
    HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}
    HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0
    HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\0
    HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\0\win32
    HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\FLAGS
    HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\HELPDIR
    HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}
    HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0
    HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\0
    HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\0\win32
    HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\FLAGS
    HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\HELPDIR

    Malware.SpyLocked
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#lWgeAqicd
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#tnmXjmmra
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#ryliGoisKwipd
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#yfsxndmii
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#imSxqOMzserj
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#oxzehf
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#oqknhsq
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#QvxJecFRdi
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#qyqxzdtrtylIt
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#MeYmaznb
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#jJpDkwNw
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#klynHsjrCagi
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#xECVlJLd
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#NusvphrvWeh
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#BizOlmRm
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Control
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Implemented Categories
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\InprocServer32
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\InprocServer32#ThreadingModel
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Insertable
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\MiscStatus
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\MiscStatus\1
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\ProgID
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Programmable
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\TypeLib
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Version
    HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\VersionIndependentProgID
    C:\Program Files\SpywareLocked 3.3\ignored.lst
    C:\Program Files\SpywareLocked 3.3\sd.ini
    C:\Program Files\SpywareLocked 3.3

    Malware.Installer-Pkg/Gen
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

    Browser Hijacker.Favorites
    C:\DOCUMENTS AND SETTINGS\COMMUNITY MOTORS\DESKTOP\UNUSED DESKTOP ICONS\REALLY UNUSED ICONS\ONLINE SECURITY GUIDE.URL
    C:\DOCUMENTS AND SETTINGS\COMMUNITY MOTORS\DESKTOP\UNUSED DESKTOP ICONS\REALLY UNUSED ICONS\SECURITY TROUBLESHOOTING.URL

    Adware.AdRotate-Uninstaller
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP502\A0035282.EXE
  • edited March 2008
    Good work. You can run another Super scan in Safe Mode to be sure all items were located, though that looks like a pretty thorough job from this angle. And looking cleaned up now. Before we do the extra steps of cleaning what we added there how are things running now?
  • edited March 2008
    Its nice, no more iesettings update pop up and it seems to be running a little faster now, no more of the lags and sudden freeze ups while i'm browsing on the internet. Thanks
  • edited March 2008
    That describes a clean system. Just a clean up of our work now. Both the Kaspersky online scan and SUPERAntiSpyware uninstall through Add/Remove Programs if you do not plan to use them in the future. SUPERAntiSpyware is known to be compatible with other security softwares, so you may want to keep it for periodic updated scans.


    The autoplay functions there were blocked as part of the procedures we did here. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveAutoRun"=dword:0000000
    "NoDriveTypeAutoRun"=dword:00000095
    
    Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.


    You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.

    Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

    OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step.


    Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

    You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

    When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

    In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
  • edited March 2008
    Okay thanks again for everything, got a new firewall and some spywareblaster and spybot search and destroy to help out. If anything happens again i'll post here, but i doubt it will, espically because of your help. Thanks for everything

    =David.:)
Sign In or Register to comment.