Croc Posted March 17, 2008 Report Share Posted March 17, 2008 HiEvery time I search in google, the first entry of the results always directs me to 'topsearch10' search page. I've noticed that my internet's been a bit weird (slow, unresponsive) since this has started too. Hope someone can help! Here's a log file from hijack this:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:05:56, on 17/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\System32\DeltTray.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\Rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Skype\Plugin Manager\SkypePM.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Winamp\winamp.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/mywayO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exeO4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [70cdbe16] rundll32.exe "C:\WINDOWS\system32\kmvcujyt.dll",bO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [bM73fe8d8a] Rundll32.exe "C:\WINDOWS\system32\cjxjyods.dll",sO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: wsock3.dllO10 - Unknown file in Winsock LSP: wsock3.dllO10 - Unknown file in Winsock LSP: wsock3.dllO10 - Unknown file in Winsock LSP: wsock3.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149081401281O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\vhosts.exe--End of file - 5292 bytesThanks! Quote Link to post Share on other sites
Dan Posted March 19, 2008 Report Share Posted March 19, 2008 Hi,Download ComboFix from one of the locations below, and save it to your Desktop. Link 1Link 2Link 3 Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.When finished, it shall produce a log for you. Post that log and a HijackThis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stallDanny Quote Link to post Share on other sites
Croc Posted March 19, 2008 Author Report Share Posted March 19, 2008 Hijack this log :Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:52:17, on 19/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\DeltTray.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Skype\Plugin Manager\SkypePM.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/mywayO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtqonm.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO2 - BHO: Google Module - {E1290342-AAFF-4f7c-9F45-D665E4BF1A00} - ktask.dll (file missing)O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exeO4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: wsock3.dllO10 - Unknown file in Winsock LSP: wsock3.dllO10 - Unknown file in Winsock LSP: wsock3.dllO10 - Unknown file in Winsock LSP: wsock3.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149081401281O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: awtqonm - C:\WINDOWS\SYSTEM32\awtqonm.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 5340 bytesCombofix log: ComboFix 08-03-18.1 - H Kalsi 2008-03-19 14:42:28.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.260 [GMT 0:00]Running from: C:\Documents and Settings\H Kalsi\Desktop\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Program Files\outlookC:\Program Files\outlook\p.zipC:\Program Files\outlook\v.tmpC:\Program Files\winupdatesC:\Program Files\winupdates\a.tmpC:\Program Files\winupdates\a.zipC:\WINDOWS\BM73fe8d8a.xmlC:\WINDOWS\cookies.iniC:\WINDOWS\pskt.iniC:\WINDOWS\system32\abcromvi.dllC:\WINDOWS\system32\ahpsjhmg.dllC:\WINDOWS\system32\alog.txtC:\WINDOWS\system32\atcfctlx.dllC:\WINDOWS\system32\ayctgxso.iniC:\WINDOWS\system32\bbesdkvb.iniC:\WINDOWS\system32\bojxipyj.iniC:\WINDOWS\system32\cjcakenl.iniC:\WINDOWS\system32\cjxjyods.dllC:\WINDOWS\system32\cmcsijks.dllC:\WINDOWS\system32\cnmjapbn.dllC:\WINDOWS\system32\conf.datC:\WINDOWS\system32\dbfqnjbq.dllC:\WINDOWS\system32\eqksawxr.iniC:\WINDOWS\system32\etxidgxu.dllC:\WINDOWS\system32\gngsjxid.dllC:\WINDOWS\system32\hbplrvyr.iniC:\WINDOWS\system32\hrapvtiv.iniC:\WINDOWS\system32\hwcymshx.iniC:\WINDOWS\system32\ivmorcba.iniC:\WINDOWS\system32\iwxwxfof.dllC:\WINDOWS\system32\jbsbepbo.iniC:\WINDOWS\system32\jmarsufr.iniC:\WINDOWS\system32\kadnknrm.iniC:\WINDOWS\system32\kebywdku.dllC:\WINDOWS\system32\kkxgxkty.dllC:\WINDOWS\system32\kmvcujyt.dllC:\WINDOWS\system32\lnekacjc.dllC:\WINDOWS\system32\lxrubaum.dllC:\WINDOWS\system32\mcrh.tmpC:\WINDOWS\system32\muaburxl.iniC:\WINDOWS\system32\obpebsbj.dllC:\WINDOWS\system32\opqss.iniC:\WINDOWS\system32\opqss.ini2C:\WINDOWS\system32\osxgtcya.dllC:\WINDOWS\system32\rfusramj.dllC:\WINDOWS\system32\rmsxqmhw.iniC:\WINDOWS\system32\rxurfmxk.dllC:\WINDOWS\system32\rxwaskqe.dllC:\WINDOWS\system32\sbtcahsf.dllC:\WINDOWS\system32\ssqpo.dllC:\WINDOWS\system32\twgswpkd.dllC:\WINDOWS\system32\tyjucvmk.iniC:\WINDOWS\system32\ujgtjguy.iniC:\WINDOWS\system32\vhosts.exeC:\WINDOWS\system32\vitvparh.dllC:\WINDOWS\system32\vkhkbteh.dllC:\WINDOWS\system32\vmgsgmvk.dllC:\WINDOWS\system32\wbckgpsu.dllC:\WINDOWS\system32\whmqxsmr.dllC:\WINDOWS\system32\xbhuufsb.iniC:\WINDOWS\system32\xhsmycwh.dllC:\WINDOWS\system32\xorfqqrf.iniC:\WINDOWS\system32\yjvtxoho.iniC:\WINDOWS\system32\yugjtgju.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_MSUPDATE-------\Service_msupdate((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 ))))))))))))))))))))))))))))))).2008-03-17 14:05 . 2008-03-17 14:05 <DIR> d-------- C:\Program Files\Trend Micro2008-03-16 21:20 . 2008-03-16 21:20 <DIR> d-------- C:\Program Files\Windows Defender2008-03-13 21:22 . 2008-03-17 16:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn2008-03-13 21:22 . 2008-03-13 21:22 1,409 --a------ C:\WINDOWS\QTFont.for2008-03-13 08:09 . 2008-03-13 08:09 1,974 ---hs---- C:\WINDOWS\system32\foxlstso.tmp2008-02-19 11:28 . 2008-03-16 20:37 1,751,388 ---hs---- C:\WINDOWS\system32\jgulmgcn.ini.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-03-19 14:05 --------- d-----w C:\Documents and Settings\H Kalsi\Application Data\Skype2008-03-17 16:11 --------- d-----w C:\Documents and Settings\H Kalsi\Application Data\AdobeUM2008-03-16 20:34 --------- d-----w C:\Program Files\Windows Live Safety Center2008-03-16 20:34 --------- d-----w C:\Documents and Settings\H Kalsi\Application Data\uTorrent2008-02-08 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2007-11-26 18:28 42,888 ----a-w C:\Documents and Settings\H Kalsi\Application Data\GDIPFONTCACHEV1.DAT2006-06-04 00:25 446,512 ----a-w C:\Program Files\mozilla firefox\plugins\MPAMedia.dll2006-06-04 00:25 41,001 ----a-w C:\Program Files\mozilla firefox\plugins\mpazip.dll2006-06-04 00:25 28,716 ----a-w C:\Program Files\mozilla firefox\plugins\pdbm3210.dll2006-06-04 00:25 73,783 ----a-w C:\Program Files\mozilla firefox\plugins\pdgenxferplug.dll2006-06-04 00:25 49,197 ----a-w C:\Program Files\mozilla firefox\plugins\rjcfspln.dll2006-06-04 00:25 61,483 ----a-w C:\Program Files\mozilla firefox\plugins\rjm4pln.dll2006-06-04 00:25 45,101 ----a-w C:\Program Files\mozilla firefox\plugins\rjmp3pln.dll2006-06-04 00:25 24,621 ----a-w C:\Program Files\mozilla firefox\plugins\rjrmapln.dll2006-06-04 00:25 409,645 ----a-w C:\Program Files\mozilla firefox\plugins\rjrmjpln.dll2006-06-04 00:25 73,773 ----a-w C:\Program Files\mozilla firefox\plugins\rjrmxpln.dll2006-06-04 00:25 176,171 ----a-w C:\Program Files\mozilla firefox\plugins\tcdinfo.dll2006-06-04 00:25 430,123 ----a-w C:\Program Files\mozilla firefox\plugins\tdwnmgr.dll2006-06-04 00:25 57,383 ----a-w C:\Program Files\mozilla firefox\plugins\teall.dll2006-06-04 00:25 61,480 ----a-w C:\Program Files\mozilla firefox\plugins\team4a.dll2006-06-04 00:25 98,345 ----a-w C:\Program Files\mozilla firefox\plugins\teamp3.dll2006-06-04 00:25 61,480 ----a-w C:\Program Files\mozilla firefox\plugins\teasdk.dll2006-06-04 00:25 36,907 ----a-w C:\Program Files\mozilla firefox\plugins\teawave.dll2006-06-04 00:25 45,097 ----a-w C:\Program Files\mozilla firefox\plugins\teawma.dll2006-06-04 00:25 77,865 ----a-w C:\Program Files\mozilla firefox\plugins\tpdmgr.dll2006-06-04 00:25 86,064 ----a-w C:\Program Files\mozilla firefox\plugins\wmaimprtpln.dll2004-08-04 04:00 28,672 ----a-w C:\Program Files\opera\program\plugins\custsat.dll2004-08-04 04:00 368,640 ----a-w C:\Program Files\opera\program\plugins\mpvis.dll2004-08-11 00:45 47,616 ----a-w C:\Program Files\opera\program\plugins\msoobci.dll2004-08-04 04:00 98,304 ----a-w C:\Program Files\opera\program\plugins\wmpband.dll2004-08-04 04:00 221,184 ----a-w C:\Program Files\opera\program\plugins\wmpns.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]2007-12-10 15:49 23728 --a------ C:\WINDOWS\system32\awtqonm.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1290342-AAFF-4f7c-9F45-D665E4BF1A00}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 07:50 139264]"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]"DeltTray"="DeltTray.exe" [2004-08-26 22:43 56320 C:\WINDOWS\system32\delttray.exe]"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 22:43 56320]"EPSON Stylus DX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.exe" [2005-02-08 04:00 98304]"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 17:32 155648]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:00 15360][hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\awtqonm.dll [2007-12-10 15:49 23728][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqonm]awtqonm.dll 2007-12-10 15:49 23728 C:\WINDOWS\system32\awtqonm.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnkbackup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnkbackup=C:\WINDOWS\pss\Free WebSite Tools.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KBC Financial Products VPN Client.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KBC Financial Products VPN Client.lnkbackup=C:\WINDOWS\pss\KBC Financial Products VPN Client.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkbackup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]C:\Program Files\BitTorrent\bittorrent.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]--a------ 2004-07-19 06:51 306688 C:\Program Files\Dell Support\DSAgnt.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]--a------ 2005-11-01 02:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eyeball Chat]--a------ 2002-10-11 13:52 2863176 C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]--a------ 2005-06-10 09:44 249856 c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]--a------ 2005-06-10 09:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]--a------ 2002-12-10 17:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]--a------ 2002-12-10 16:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]--a------ 2005-07-12 18:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]--a------ 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]--a------ 2006-06-04 00:25 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shellapi32]--a------ 2006-10-31 15:14 36120 C:\WINDOWS\system32\svcnet.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]--a------ 2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]--a------ 2006-06-04 00:25 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\StubInstaller.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\rundll32.exe"="C:\\Program Files\\Eyeball\\Eyeball Chat\\EyeballChat.exe"="C:\\Program Files\\Golden FTP Server\\GFTP.exe"="C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\Soulseek-Test\\slsk.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe"=R3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 13:16]R3 USBMN2X2;M-Audio USB MidiSport 2x2;C:\WINDOWS\system32\drivers\usbmn2x2.sys [2007-12-15 12:45]S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 07:51]S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 07:51]S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 07:51]S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s816mgmt.sys [2007-06-19 07:51]S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);C:\WINDOWS\system32\DRIVERS\s816nd5.sys [2007-06-19 07:51]S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s816obex.sys [2007-06-19 07:51]S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);C:\WINDOWS\system32\DRIVERS\s816unic.sys [2007-06-19 07:51]S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;C:\WINDOWS\system32\drivers\usb22ldr.sys [2007-12-15 12:45]S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;C:\WINDOWS\system32\drivers\usbmm2x2.sys [].Contents of the 'Scheduled Tasks' folder"2008-03-12 20:25:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe"2008-03-19 02:03:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"- C:\Program Files\Windows Defender\MpCmdRun.exe.**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-03-19 14:48:12Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\winlogon.exe-> C:\WINDOWS\system32\awtqonm.dllPROCESS: C:\WINDOWS\system32\lsass.exe-> C:\WINDOWS\system32\wsock3.dll.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Skype\Plugin Manager\SkypePM.exe.**************************************************************************.Completion time: 2008-03-19 14:50:38 - machine was rebootedComboFix-quarantined-files.txt 2008-03-19 14:50:34Thanks! Quote Link to post Share on other sites
Dan Posted March 19, 2008 Report Share Posted March 19, 2008 Hi,A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.Please download LSPFix from here.Run the LSPFix.exe that you have just finished downloading.Check the I know what I'm doing box.In the Keep box you should see one or more instances of wsock3.dll.Select every instance of wsock3.dll and move each one to the Remove box by clicking the >> button.When you are done click Finish>>.Reboot, and post a new HijackThis log for me.Danny Quote Link to post Share on other sites
Croc Posted March 19, 2008 Author Report Share Posted March 19, 2008 Here's the latest hijack log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:25:40, on 19/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\DeltTray.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Windows Defender\MSASCui.exeC:\WINDOWS\system32\Rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Skype\Plugin Manager\SkypePM.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/mywayO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {6B3E61A6-CB38-4772-8449-93CA79ECCA08} - C:\WINDOWS\system32\ddaya.dllO2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtqonm.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO2 - BHO: {86228fef-8e12-270b-3f24-b12a36c2861d} - {d1682c63-a21b-42f3-b072-21e8fef82268} - C:\WINDOWS\system32\icmbeltg.dllO2 - BHO: Google Module - {E1290342-AAFF-4f7c-9F45-D665E4BF1A00} - ktask.dll (file missing)O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exeO4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [70cdbe16] rundll32.exe "C:\WINDOWS\system32\lldxnxgr.dll",bO4 - HKLM\..\Run: [bM73fe8d8a] Rundll32.exe "C:\WINDOWS\system32\tdrajndv.dll",sO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149081401281O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: awtqonm - C:\WINDOWS\SYSTEM32\awtqonm.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 5569 bytesThanks alot! Quote Link to post Share on other sites
Dan Posted March 19, 2008 Report Share Posted March 19, 2008 Thanks.Please download VundoFix.exe to your desktopDouble-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.Danny Quote Link to post Share on other sites
Croc Posted March 19, 2008 Author Report Share Posted March 19, 2008 Vundo log:VundoFix V7.0.3Scan started at 16:35:27 19/03/2008Listing files found while scanning....C:\WINDOWS\system32\awtqonm.dllC:\WINDOWS\system32\lldxnxgr.dllC:\WINDOWS\system32\rgxnxdll.iniBeginning removal... Attempting to delete C:\WINDOWS\system32\awtqonm.dllC:\WINDOWS\system32\awtqonm.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\lldxnxgr.dllC:\WINDOWS\system32\lldxnxgr.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\rgxnxdll.iniC:\WINDOWS\system32\rgxnxdll.ini Has been deleted!Performing Repairs to the registry.Done!Beginning removal... Attempting to delete C:\WINDOWS\system32\awtqonm.dllC:\WINDOWS\system32\awtqonm.dll Has been deleted!Performing Repairs to the registry.Done!Hijack this log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:46:24, on 19/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\DeltTray.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Windows Defender\MSASCui.exeC:\WINDOWS\system32\Rundll32.exeC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Skype\Plugin Manager\SkypePM.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/mywayO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exeO4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [70cdbe16] rundll32.exe "C:\WINDOWS\system32\lldxnxgr.dll",bO4 - HKLM\..\Run: [bM73fe8d8a] Rundll32.exe "C:\WINDOWS\system32\tdrajndv.dll",sO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149081401281O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 4837 bytesThanks alot! Quote Link to post Share on other sites
Dan Posted March 19, 2008 Report Share Posted March 19, 2008 Hi,Please run HijackThis and click "Scan." Place checks next to the following entries:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/mywayO4 - HKLM\..\Run: [70cdbe16] rundll32.exe "C:\WINDOWS\system32\lldxnxgr.dll",bO4 - HKLM\..\Run: [bM73fe8d8a] Rundll32.exe "C:\WINDOWS\system32\tdrajndv.dll",sO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)Close all windows browsers except HijackThis, and click the "Fix Checked" button. Close HijackThis.Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.For additional help in booting into Safe Mode, see the following site:http://www.pchell.com/support/safemode.shtmlNext, please enable viewing of hidden files as follows:1) Go to My Computer, and click on the "Tools" menu2) Click "Folder options"3) Select the "View" tab4) Make sure "Show hidden files and folders" is selected5) Make sure "Hide extensions for known file types" is unchecked6) Make sure "Hide protected operating system files (recommended)" is uncheckedNext, delete the following files/folders (if they exist):C:\WINDOWS\system32\tdrajndv.dll << This fileC:\WINDOWS\system32\lldxnxgr.dll << This fileThen restart your computer into normal mode, and then please post a new HijackThis log.Danny Quote Link to post Share on other sites
Croc Posted March 19, 2008 Author Report Share Posted March 19, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:26:19, on 19/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\System32\DeltTray.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Skype\Plugin Manager\SkypePM.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/mywayO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {3DE17103-AC5E-4059-A348-DFF8C0CF30E7} - C:\WINDOWS\system32\ddaya.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO2 - BHO: {86228fef-8e12-270b-3f24-b12a36c2861d} - {d1682c63-a21b-42f3-b072-21e8fef82268} - C:\WINDOWS\system32\icmbeltg.dllO2 - BHO: Google Module - {E1290342-AAFF-4f7c-9F45-D665E4BF1A00} - ktask.dll (file missing)O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exeO4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [bM73fe8d8a] Rundll32.exe "C:\WINDOWS\system32\tdrajndv.dll",sO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149081401281O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 4971 bytesCheers! Quote Link to post Share on other sites
Dan Posted March 19, 2008 Report Share Posted March 19, 2008 (edited) Hi,Please download the Killbox by Option^Explicit and save it to your desktop.Note:In the event you already have Killbox, this is a new version that I need you to download.Please run HijackThis and click "Scan." Place checks next to the following entries:O2 - BHO: (no name) - {3DE17103-AC5E-4059-A348-DFF8C0CF30E7} - C:\WINDOWS\system32\ddaya.dllO2 - BHO: {86228fef-8e12-270b-3f24-b12a36c2861d} - {d1682c63-a21b-42f3-b072-21e8fef82268} - C:\WINDOWS\system32\icmbeltg.dllO2 - BHO: Google Module - {E1290342-AAFF-4f7c-9F45-D665E4BF1A00} - ktask.dll (file missing)O4 - HKLM\..\Run: [bM73fe8d8a] Rundll32.exe "C:\WINDOWS\system32\tdrajndv.dll",sClose all windows browsers except HijackThis, and click the "Fix Checked" button. Close HijackThis.Now, Please double-click Killbox.exe to run it. Select "Delete on Reboot then Click on the "All Files" button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + CC:\WINDOWS\system32\ddaya.dllC:\WINDOWS\system32\icmbeltg.dllC:\WINDOWS\system32\tdrajndv.dll[*] Return to Killbox, go to the File menu, and choose "Paste from Clipboard".[*]Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt.If your computer does not restart automatically, please restart it manually.After your computer restarts, please post a new HijackThis log.Danny Edited March 19, 2008 by Danny Quote Link to post Share on other sites
Croc Posted March 19, 2008 Author Report Share Posted March 19, 2008 Hijack log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:56:17, on 19/03/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\DeltTray.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Skype\Plugin Manager\SkypePM.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/mywayO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exeO4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149081401281O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe--End of file - 4609 bytesThanks alot ! Quote Link to post Share on other sites
Dan Posted March 20, 2008 Report Share Posted March 20, 2008 Looks like we're making progress Please do an online scan with Kaspersky WebScanner (Internet Explorer only)Click on Kaspersky Online ScannerYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.Danny Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.