Hi. I was infected with something 7/12 that wouldn't allow me to access any sites that typically log into (gmail, hotmail, Amazon, etc.). For example, I could get to the hotmail main page, but couldn't log in - instead, I'd get a pop-up ad. I noticed that AVG Free hadn't updated successfully since 7/3, and Window Security Alert was telling me that updates weren't enabled (even though they were). I googled a bunch and did the following: 1) uninstall AVG 2) install Avast Avast found a boot virus that it cleaned. Now, however, Avast is finding a .tt*.tmp.vbs VBS:Malware-gen file everytime I reboot. I googled some more and, based primarily on recent threads on this forum, did the following (which all seemed safe since they didn't appear to be specific to a particular situation): 1) Run SuperAntiSpyware 2) Run Vundofix and VirtumondoBeGone 3) Run SDFix I've also done various boot scans with Avast, complete scans with Avast, Adaware, SuperAntiSpyware, etc. - they usually find something and claim to have cleaned it, but I'm right back where I started when I reboot. I've spent 4-5 hours this weekend trying to fix it and figured it was time to defer to the experts Here's my Hijack This log (seems to be a popular first step/request). Any help would be appreciated. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:16:16 PM, on 7/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bgsvcgen.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\WINDOWS\system32\lphcap1j0e939.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us O2 - BHO: {4ee3392c-9882-b699-7c24-d688b6491331} - {1331946b-886d-42c7-996b-2889c2933ee4} - C:\WINDOWS\system32\sytyqo.dll (file missing) O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing) O2 - BHO: (no name) - {801C3946-FF03-44F9-A64D-9091462DB43B} - C:\WINDOWS\system32\qoMeBuRL.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing) O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [9024812b] rundll32.exe "C:\WINDOWS\system32\nxkxwcgl.dll",b O4 - HKLM\..\Run: [lphcap1j0e939] C:\WINDOWS\system32\lphcap1j0e939.exe O4 - HKLM\..\Run: [SMshccp1j0e939] C:\Program Files\shccp1j0e939\shccp1j0e939.exe O4 - HKLM\..\Run: [SMrhcep1j0e939] C:\Program Files\rhcep1j0e939\rhcep1j0e939.exe O4 - HKLM\..\Run: [BM9317b2b7] Rundll32.exe "C:\WINDOWS\system32\aylwyvoa.dll",s O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Auto run of VideoCam Suite 1.0.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154135246311 O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 10021 bytes
A couple more pieces of info... MProtector and AntiVirus XP2008 both mysteriously appeared this morning. Both told me I had lots of issues, but I noticed that the install paths were non-standard (C:\Prog*\<gibberish>), so I tried uninstalling each. Uninstall didn't work, so I killed the running process and deleted the folders. Then I searched through the registry for each name and deleted those entries (after backing up the registry, of course). That's all I know to do to remove them, so they could still be lingering for all I know. The PC's been off the network for the day, so hopefully that prevents similar behavior from happening until the current malware issue is wiped out. Thanks.
Hi burghman, Looks like you still have a Vundo Variant infection that may be hidden by a Rootkit. Follow these instructions and we’ll see if we can get rid of it.. Download ComboFix from Here to your Desktop. • Double click combofix.exe and follow the prompts. • When finished, it shall produce a log for you. Post the Combofix log and a fresh HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall 2OG
Awesome - thanks 2OG. I ran ComboFix as suggested - here's the log: ComboFix 08-07-13.6 - Jim 2008-07-13 21:36:31.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.606 [GMT -4:00] Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Jim\Application Data\rhcep1j0e939 C:\Documents and Settings\Jim\Application Data\shccp1j0e939 C:\Documents and Settings\Melissa\Application Data\shccp1j0e939 C:\WINDOWS\BM9317b2b7.txt C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\pskt.ini C:\WINDOWS\system32\aavrvh.dll C:\WINDOWS\system32\aylwyvoa.dll C:\WINDOWS\system32\gnyoiwyu.dll C:\WINDOWS\system32\kcrdeuvw.dll C:\WINDOWS\system32\lgcwxkxn.ini C:\WINDOWS\system32\LRuBeMoq.ini C:\WINDOWS\system32\LRuBeMoq.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MmWwaGgh.ini C:\WINDOWS\system32\MmWwaGgh.ini2 C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\nwhnymjn.ini C:\WINDOWS\system32\nxkxwcgl.dll C:\WINDOWS\system32\oeminfo.ini C:\WINDOWS\system32\ouwqsxld.dll C:\WINDOWS\system32\rxtwckgj.ini C:\WINDOWS\system32\shugxs.dll C:\WINDOWS\system32\thfyrqsy.dll C:\WINDOWS\system32\uwkcvqyy.dll C:\WINDOWS\system32\wvuedrck.ini C:\WINDOWS\system32\xnbttfdq.dll . ((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 ))))))))))))))))))))))))))))))) . 2008-07-13 09:44 . 2008-07-13 09:44 <DIR> d-------- C:\WINDOWS\ERUNT 2008-07-13 09:44 . 2008-07-13 09:44 <DIR> d-------- C:\SDFix 2008-07-13 09:30 . 2008-07-13 09:30 <DIR> d-------- C:\VundoFix Backups 2008-07-12 20:11 . 2008-07-12 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-07-12 20:10 . 2008-07-12 20:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-07-12 20:10 . 2008-07-12 20:10 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\SUPERAntiSpyware.com 2008-07-12 16:40 . 2008-07-12 16:40 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-12 16:04 . 2008-07-12 16:04 35,328 --a------ C:\WINDOWS\system32\lphcap1j0e939.exe 2008-07-12 15:18 . 2008-07-12 15:18 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Uniblue 2008-07-12 14:52 . 2008-07-12 20:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-12 13:47 . 2008-07-12 13:47 <DIR> d-------- C:\Program Files\Alwil Software 2008-07-12 13:40 . 2008-07-12 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8 2008-07-12 08:37 . 2008-07-13 08:38 110,419 --a------ C:\WINDOWS\BM9317b2b7.xml 2008-07-11 20:51 . 2008-07-11 20:51 <DIR> d-------- C:\Program Files\AVG 2008-07-11 20:37 . 2008-07-12 10:19 <DIR> d-------- C:\WINDOWS\system32\olixds01 2008-07-11 20:37 . 2008-07-11 20:37 <DIR> d-------- C:\Temp\stmpv4 2008-07-11 20:37 . 2008-07-11 20:41 <DIR> d-------- C:\Temp 2008-07-08 21:27 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\system32\Adobe 2008-06-20 13:41 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 06:44 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-12 18:53 --------- d-----w C:\Program Files\Lavasoft 2008-07-12 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-08 02:18 --------- d--h--w C:\Documents and Settings\Jim\Application Data\Move Networks 2008-06-07 18:51 --------- d-----w C:\Documents and Settings\Jim\Application Data\Panasonic 2008-06-05 02:27 --------- d-----w C:\Program Files\vol_toolbar 2008-05-31 19:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-31 19:37 --------- d-----w C:\Program Files\Panasonic 2008-05-31 19:37 --------- d-----w C:\Documents and Settings\Jim\Application Data\InstallShield 2008-05-31 14:16 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-31 14:15 --------- d-----w C:\Documents and Settings\Jim\Application Data\AdobeUM 2008-05-20 01:43 --------- d-----w C:\Program Files\Chessmaster 8000 2008-03-01 01:34 25,288 ------w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT 2005-05-26 18:35 1,422 ----a-w C:\Program Files\ReadMe.txt 2006-12-02 02:55 88 --sh--r C:\WINDOWS\system32\62E7D60D8F.sys 2006-12-02 02:55 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 22:03 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 13:49 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 13:46 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 13:50 114688] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12 98304] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 19:45 114688] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41 163840] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792] "EPSON Stylus C84 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 03:00 99840] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-24 12:20 98304] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 14:46 8192] "EPSON Stylus C84 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 03:00 99840] "lphcap1j0e939"="C:\WINDOWS\system32\lphcap1j0e939.exe" [2008-07-12 16:04 35328] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 22:03 68856] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Auto run of VideoCam Suite 1.0.lnk - C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe [2008-05-31 15:38:10 161160] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-24 12:16:59 24576] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2007-05-20 16:15:42 270336] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisbleRegistryTools"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Verizon\\Media Manager\\MediaManager.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16] S3 GameConsoleService;GameConsoleService;C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe [2008-01-29 13:09] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\autorun.exe . - - - - ORPHANS REMOVED - - - - BHO-{1331946b-886d-42c7-996b-2889c2933ee4} - C:\WINDOWS\system32\sytyqo.dll BHO-{801C3946-FF03-44F9-A64D-9091462DB43B} - C:\WINDOWS\system32\qoMeBuRL.dll HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe HKLM-Run-9024812b - C:\WINDOWS\system32\nxkxwcgl.dll HKLM-Run-SMshccp1j0e939 - C:\Program Files\shccp1j0e939\shccp1j0e939.exe HKLM-Run-SMrhcep1j0e939 - C:\Program Files\rhcep1j0e939\rhcep1j0e939.exe HKLM-Run-BM9317b2b7 - C:\WINDOWS\system32\aylwyvoa.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-13 21:44:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe . ************************************************************************** . Completion time: 2008-07-13 21:49:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-14 01:48:56 Pre-Run: 53,635,661,824 bytes free Post-Run: 53,924,356,096 bytes free 169 --- E O F --- 2008-07-09 00:59:41 ---------------------------------------------------- Also re-ran Hijack This - here's that log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:51:20 PM, on 7/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bgsvcgen.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\WINDOWS\system32\lphcap1j0e939.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing) O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [lphcap1j0e939] C:\WINDOWS\system32\lphcap1j0e939.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Auto run of VideoCam Suite 1.0.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154135246311 O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 9124 bytes How're things looking? Really appreciate the work you're doing for me and the rest of the folks who are stuck. Thanks.
Hi burghman, Looking better. Just a couple of things left. Fix entries using HiJackThis Launch HiJackThis Click the Do a system scan only button Put a check next to the entries listed below (if they still remain) O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing) O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing) O4 - HKLM\..\Run: [lphcap1j0e939] C:\WINDOWS\system32\lphcap1j0e939.exe IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now Click the Fix checked button and close HiJackThis Delete Files on Reboot Start Hijackthis Click on the Config button Click on the Misc Tools button Click on the button labeled Delete a file on reboot... A new window will open asking you to select the file that you would like to delete on reboot. Navigate to each file and click on it once, and then click on the Open button. C:\WINDOWS\system32\lphcap1j0e939.exe You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later. after the reboot, Post me a fresh HijackThis Log and let me know how things are going….. 2OG
Thanks for the info. I followed your instructions and for the first time all weekend, the reboot completed without either an Avast warning or a reference to the missing tt* VBS file! I still haven't reconnected to the internet since I wanted to make sure I was clean before doing so, but things appear to be in better shape now than just a little while ago. The latest Hijack This log is below. And thanks again for you help and quick response. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:01:41 PM, on 7/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bgsvcgen.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Auto run of VideoCam Suite 1.0.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154135246311 O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 8740 bytes
Hey, Hey, Hey burghman, Congratulations, your log looks CLEAN This will keep you busy for a little while….. There are a few things you must do once you are completely clean: 1. Time for some housekeeping Please download the OTMoveIt2 by OldTimer • Save it to your desktop. • Run the tool by clicking on the icon. • Click the Cleanup button. • The tools that we used as well as this one will be removed from your system. 2. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: • Go to Start > Programs > Accessories > System Tools and click "System Restore". • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. • Then go to Start > Run and type: Cleanmgr • Click "OK". • Click the "More Options" Tab. • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. 4. Defragment your Hard Drive 1.Open My Computer. 2.Right-click the local disk volume that you want to defragment, and then click Properties. 3.On the Tools tab, click Defragment Now. 4.Click Defragment. Here are some tips to reduce the potential for spyware infection in the future: It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are ZoneAlarm Free and Sunbelt Kerio Personal Firewall has a "free mode" as well. I personally use and recommend ZoneAlarm.. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Go to these sites and read about these you may decide to use them, I do, because they work. • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Malware, Cookies etc) from the sites listed, although you will still be able to connect to the sites. • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer And also see TonyKlein's good advice So how did I get infected in the first place? You have now been removed from the S.I.M.C. List….. Enjoy your clean computer. Any questions? 2OG
No questions at all at this point, just my sincere thanks for getting this resolved so quickly. With the press so focused on the viruses that cause so many problems, it's great to know that there are some helpful souls out there willing to do what it takes to keep the rest of us moving along. I'll be following up on your next steps and will certainly do my best to take all precautionary steps to prevent this from happening again. Thanks!
You’re welcome burghman, Don’t be too careful. If it weren’t for Malware Collectors, I’d have nothing to do on my days off. ; ) LOL Safe Surfing to ya, 2OG
