Malware Sinowal.Trogan Hijacked Bro

Computing.Net > Forums > Security and Virus > Malware Sinowal.Trogan Hijacked Bro

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

Malware Sinowal.Trogan Hijacked Bro

Original Message

Name: totalprocessing.com
Date: December 4, 2008 at 13:53:14 Pacific
Subject: Malware Sinowal.Trogan Hijacked Bro
OS: Windows XP Pro SP3
CPU/Ram: Intel 2 GHZrocessor 1 GHZ
Manufacturer/Model: Dell/INSPIRON 19200

Comment:

Hello,
While at a website www.tvshack.net a malware or virus was installed on my computer. My browser was hijacked not allowing me to go directly to my homepage settings, but rather I get a security alert web page directing me to www.defender-review.com to purchase a product called "Perfect Defender 2009" to fix the problem. I have not purchased Perfect Defender 2009.
Furthermore I get a pop up security alert stating my computer is infected with a trojan called "Sinowal.Trogan" again with a button that directs me to defender-review.com for the fix. This happens at startup and periodically. This pop-up repeatedly comes up on my computer.
I have downloaded and installed "Spy Hunter" ran the program twice and still my computer is not fixed. I have tried using Malwarebytes program twice as well. Still no fix.
I use AVG paid version for virus software. It is not able to detect the problem at all.
What do I do?
Thanks
Todd

Report Offensive Message For Removal

Response Number 1

Name: totalprocessing.com
Date: December 4, 2008 at 13:57:18 Pacific

Reply:

Here is my malwarebytes log:
Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3
12/4/2008 2:26:27 PM
mbam-log-2008-12-04 (14-26-27).txt
Scan type: Full Scan (C:\|)
Objects scanned: 211342
Time elapsed: 2 hour(s), 27 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP961\A0160883.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSnxecplrg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSoexjlkdv.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSpmyqakmx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSskysnbod.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSakcfrfvd.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Todd Sumrall\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Todd Sumrall\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSecdxialx.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSqwbwewxr.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

Report Offensive Follow Up For Removal

Response Number 2

Name: jabuck
Date: December 4, 2008 at 14:00:59 Pacific

Reply:

I know you have done part of this but please run these scans as directed paying close attention to item 6 in the Malwarebytes scan and post their logs.
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: December 4, 2008 at 14:12:00 Pacific

Reply:

Once you get SDFix downloaded go offline and turn of your antivirus and any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Report Offensive Follow Up For Removal

Response Number 4

Name: totalprocessing.com
Date: December 4, 2008 at 14:46:41 Pacific

Reply:

Thank you for the reply. I have just downloaded SDfix and will do as you say.
I have run malewarebytes again as you requested. I did everything correct the first time except i ran a full scan the first time. I have run hijackthis as well. I will paste both reports here and then log off to run sdfix. Again thank you very much for your help.
Malewarebytes Log:***************
Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3
12/4/2008 4:30:45 PM
mbam-log-2008-12-04 (16-30-45).txt
Scan type: Quick Scan
Objects scanned: 65901
Time elapsed: 12 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

HijackThis Log:********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:43 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Todd Sumrall\Application Data\Google\xtgoj6119471.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\TODDSU~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\TODDSU~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Todd Sumrall\My Documents\My Software\Unzipped\magic-2.94b10\Magic.exe
C:\Documents and Settings\Todd Sumrall\Desktop\AFF\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UBTBuddy] C:\Program Files\UBTBuddy\UBTBuddy.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra 'Tools' menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/h...
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.webster.com/toolbar/webi...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrows...
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pr...
O16 - DPF: {C06C3EE1-9932-4BA2-8299-B23B1B480E89} (QBMASSyncCom2_2003.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2003.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intuit.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {E88D5B72-D64A-4CDB-A487-B6ADB2DC51AF} (InstallerAX Class) - http://chevy.a.content.maven.net/mv...
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - C:\Program Files\ACT\actlink.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://www.dalejr.com/1024x768_dale...
O24 - Desktop Component 1: (no name) - http://www.dalejr.com/1024x768_budc...
--
End of file - 13801 bytes

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: December 4, 2008 at 15:21:10 Pacific

Reply:

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
As you have SDFix downloaded go offline and turn of your antivirus and any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Report Offensive Follow Up For Removal


Malware possible browser hijack attempt malware hijack google links pc hijacked by malware	hijack folder malware exe rename malware browser hijack mem .dll trojan malware hijack check

Response Number 6

Name: totalprocessing.com
Date: December 4, 2008 at 15:41:25 Pacific

Reply:

I have run SDfix. My homepage is no longer hijacked BUT I still get the security pop up stating I have Siowal.Trogan with the button that takes you to www.defender-review where they want you to purchase the Perfect Defender 2009 software.
I sure hope I don't have to reformat. System restore is out of the question. I tried that eariler and this malware prevents you from booting up after a restore. I had to undoe the restore to boot up.
Thanks again for your help. I will install the Java as you said.
SDfix Log:

[b]SDFix: Version 1.240 [/b]
Run by Todd Sumrall on Thu 12/04/2008 at 05:08 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
[b]Name [/b]:
TDSSserv.sys
[b]Path [/b]:
\\?\globalroot\systemroot\system32\drivers\TDSSakcfrfvd.sys
TDSSserv.sys - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting

[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\drivers\system32.sys - Deleted
C:\WINDOWS\SYSTEM32\TDSSBQ~1.dat - Deleted
Removing Temp Files
[b]ADS Check [/b]:

[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 17:22:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\st
andardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-220
19"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program
Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program
Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program
Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program
Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program
Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program
Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program
Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program
Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Intuit\\QuickBooks\\QBDBMgrN.exe"="C:\\Program
Files\\Intuit\\QuickBooks\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\do
mainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-220
19"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search &
Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search &
Destroy\SDHelper.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 8 Sep 2005 176,422 ..SH. --- "C:\WINDOWS\SYSTEM32\wyycf.bak1"
Sat 10 Sep 2005 178,176 ..SH. --- "C:\WINDOWS\SYSTEM32\wyycf.bak2"
Sun 22 May 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 5 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All
Users\DRM\Cache\Indiv02.tmp"
Mon 4 Aug 2008 2,576,952 A..H. --- "C:\Documents and Settings\All Users\Application
Data\Google Updater\cache\BIT9E.tmp"
Mon 4 Aug 2008 2,576,952 A..H. --- "C:\Documents and Settings\All Users\Application
Data\Google Updater\cache\BIT9F.tmp"
Mon 4 Aug 2008 2,576,952 A..H. --- "C:\Documents and Settings\All Users\Application
Data\Google Updater\cache\BITA0.tmp"
Wed 26 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Todd Sumrall\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Todd Sumrall\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Todd Sumrall\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Todd Sumrall\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
[b]Finished![/b]

Report Offensive Follow Up For Removal

Response Number 7

Name: jabuck
Date: December 4, 2008 at 16:09:09 Pacific

Reply:

Looks better.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 8

Name: totalprocessing.com
Date: December 4, 2008 at 16:54:23 Pacific

Reply:

I have run combofix. My homepage is hijacked again. The security box that keeps popping up popped up while combofix was running.
Here is the combofix log:
ComboFix 08-12-04.04 - Todd Sumrall 2008-12-04 18:47:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.559 [GMT -6:00]
Running from: c:\documents and settings\Todd Sumrall\Desktop\AFF\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\bszip.dll
c:\windows\SYSTEM32\wyycf.bak1
c:\windows\SYSTEM32\wyycf.bak2
c:\windows\system32\wyycf.ini
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.
2008-12-04 17:59 . 2008-12-04 17:58 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-04 17:59 . 2008-12-04 17:58 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2008-12-04 17:07 . 2008-12-04 17:07 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-04 17:02 . 2008-12-04 17:02 <DIR> d-------- c:\windows\ERUNT
2008-12-04 16:38 . 2008-12-04 18:36 <DIR> d-------- C:\SDFix
2008-12-04 11:58 . 2008-12-04 11:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 11:58 . 2008-12-04 11:58 <DIR> d-------- c:\documents and settings\Todd Sumrall\Application Data\Malwarebytes
2008-12-04 11:58 . 2008-12-04 11:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 11:58 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-04 11:58 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-04 10:36 . 2008-12-04 10:36 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-22 18:43 . 2008-11-22 18:43 0 --a------ c:\windows\UBTBuddy.INI
2008-11-22 18:42 . 2008-11-22 18:42 <DIR> d-------- c:\program files\UBTBuddy
2008-11-12 10:54 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-12 10:53 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-04 16:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-04 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 05:29 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\Canon
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\AVGTOOLBAR
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\ArcSoft
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\Apple Computer
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\AdobeUM
2008-12-01 16:55 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-11-30 22:17 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\Move Networks
2008-11-28 18:03 --------- d-----w c:\program files\e-Sword
2008-11-23 00:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 20:14 --------- d-----w c:\program files\ClubUBT
2008-11-06 14:26 90,632 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-31 20:06 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 19:09 98,440 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-09-06 04:30 241,704 ------w c:\windows\SYSTEM32\DLLCACHE\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\SYSTEM32\DLLCACHE\WgaTray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"UBTBuddy"="c:\program files\UBTBuddy\UBTBuddy.exe" [2007-09-19 1017112]
"vxdhm"="c:\documents and settings\Todd Sumrall\Application Data\Google\xtgoj6119471.exe" [2008-12-03 124416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-09-27 610304]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 270336]
"HydraVisionViewport"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe" [2003-09-15 364544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"hcsystray"="c:\program files\Kuma Games\hcsystray\hc_tray.exe" [2006-11-01 30928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-23 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-25 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-04-14 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-18 113664]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoProp]
--a------ 2001-07-16 07:50 36864 c:\progra~1\MICROS~4\Office\bots\fp_wmp\regprop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 14:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 08:36 256576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 08:50 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-09-14 08:50 131072 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-23 18:13 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-26 21:42 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2005-08-31 13:14 1277952 c:\program files\Support.com\BellSouth\hcenter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-25 13:32 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intuit\\QuickBooks\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-04-25 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-04-25 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-04-25 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-04-25 231704]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ax88772.sys [2005-03-04 17920]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\DRIVERS\memcard.sys [2007-09-26 8320]
.
Contents of the 'Scheduled Tasks' folder
2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
2008-11-21 c:\windows\Tasks\Total Merchant Services Inc 1110980977.job
- c:\program files\Intuit\QuickBooks\AutoBackupEXE.exe [2008-10-22 17:44]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe

.
------- Supplementary Scan -------
.
uStart Page = www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: MWOL &Dictionary - c:\windows\_MWOLTB.DLL/23/219
IE: MWOL &Thesaurus - c:\windows\_MWOLTB.DLL/23/220
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
IE: {670F87A1-88B0-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe
IE: {C4A67F75-88B2-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe
IE: {670F87A1-88B0-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe -
IE: {C4A67F75-88B2-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe -
c:\windows\Downloaded Program Files\mwolinstaller.dll - O16 -: {3CF32649-D1C0-4F42-AB44-ED284748920B}
hxxp://www.webster.com/toolbar/webinstall.cab
c:\windows\Downloaded Program Files\mwoltb.inf
c:\windows\system32\msstkprp.dll - c:\windows\system32\qbwoa12.tlb
c:\windows\Downloaded Program Files\QBMASSyncCom2_2003.ocx
O16 -: {C06C3EE1-9932-4BA2-8299-B23B1B480E89}
hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2003.cab
c:\windows\Downloaded Program Files\QBMASSyncCom2_2003.INF
c:\windows\Downloaded Program Files\installerAX.ini - c:\windows\Downloaded Program Files\installerAX.dll
O16 -: {E88D5B72-D64A-4CDB-A487-B6ADB2DC51AF}
hxxp://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
c:\windows\Downloaded Program Files\installerAX.inf
c:\windows\system32\qbwoa10.tlb - c:\windows\system32\msstkprp.dll
c:\windows\Downloaded Program Files\IntuitRecurPayCom.ocx
O16 -: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A}
hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
c:\windows\Downloaded Program Files\IntuitRecurPayCom.INF
c:\windows\system32\msstkprp.dll - c:\windows\system32\qbwoa10.tlb
c:\windows\Downloaded Program Files\QBMASSyncCom1.ocx
O16 -: {F8A9F96F-8375-4596-BD89-EEAE2781D810}
hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
c:\windows\Downloaded Program Files\QBMASSyncCom1.INF
FireFox -: Profile - c:\documents and settings\Todd Sumrall\Application Data\Mozilla\Firefox\Profiles\506lyvp7.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 18:49:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-04 18:51:36
ComboFix-quarantined-files.txt 2008-12-05 00:50:34
Pre-Run: 25,231,081,472 bytes free
Post-Run: 25,353,691,136 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
255 --- E O F --- 2008-11-13 05:31:43

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: December 4, 2008 at 17:23:06 Pacific

Reply:

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Documents and Settings\Todd Sumrall\Application Data\Google\xtgoj6119471.exe
C:\Windows\System32\mscoree.dll
Driver::
qbwc

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vxdhm"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Post a new Combofix log following the previous directions.
Run Hijack This, close all windows and browsers except Hijack This , place a check to the left of the following items and press "fix checked":
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
Exit Hijack This
Please post a new Hijack This log.

Report Offensive Follow Up For Removal

Response Number 10

Name: totalprocessing.com
Date: December 4, 2008 at 18:01:55 Pacific

Reply:

It appears to be fixed. My homepage is not hijacked anymore. No pop up security threats either. Rebooted twice just to make sure.
I should also note that I was not able to run msconfig while infected. Evertime I would try, it would shut down my computer. This appears to be fixed as well. Thank you very much.
However a new problem arised on both reboots. I get this error.
dsca.exe failed to properly initalize (0xc0000135) Click OK to terminate.

Combofixlog**********************
ComboFix 08-12-04.04 - Todd Sumrall 2008-12-04 19:32:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.609 [GMT -6:00]
Running from: c:\documents and settings\Todd Sumrall\Desktop\AFF\ComboFix.exe
Command switches used :: c:\documents and settings\Todd Sumrall\Desktop\AFF\CFScript.txt
* Created a new restore point
FILE ::
c:\documents and settings\Todd Sumrall\Application Data\Google\xtgoj6119471.exe
c:\windows\System32\mscoree.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Todd Sumrall\Application Data\Google\xtgoj6119471.exe
c:\windows\System32\mscoree.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.
2008-12-04 17:59 . 2008-12-04 17:58 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-04 17:59 . 2008-12-04 17:58 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2008-12-04 17:07 . 2008-12-04 17:07 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-04 17:02 . 2008-12-04 17:02 <DIR> d-------- c:\windows\ERUNT
2008-12-04 16:38 . 2008-12-04 18:36 <DIR> d-------- C:\SDFix
2008-12-04 11:58 . 2008-12-04 11:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 11:58 . 2008-12-04 11:58 <DIR> d-------- c:\documents and settings\Todd Sumrall\Application Data\Malwarebytes
2008-12-04 11:58 . 2008-12-04 11:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 11:58 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-04 11:58 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-04 10:36 . 2008-12-04 10:36 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-22 18:43 . 2008-11-22 18:43 0 --a------ c:\windows\UBTBuddy.INI
2008-11-22 18:42 . 2008-11-22 18:42 <DIR> d-------- c:\program files\UBTBuddy
2008-11-12 10:54 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-12 10:53 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 23:58 --------- d-----w c:\program files\Java
2008-12-04 16:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-04 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 05:29 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\Canon
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\AVGTOOLBAR
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\ArcSoft
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\Apple Computer
2008-12-04 04:49 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\AdobeUM
2008-12-01 16:55 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-11-30 22:17 --------- d-----w c:\documents and settings\Todd Sumrall\Application Data\Move Networks
2008-11-28 18:03 --------- d-----w c:\program files\e-Sword
2008-11-23 00:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 20:14 --------- d-----w c:\program files\ClubUBT
2008-11-06 14:26 90,632 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-31 20:06 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 19:09 98,440 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((( snapshot@2008-12-04_18.50.10.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 01:39:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_88.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"UBTBuddy"="c:\program files\UBTBuddy\UBTBuddy.exe" [2007-09-19 1017112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-09-27 610304]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 270336]
"HydraVisionViewport"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe" [2003-09-15 364544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"hcsystray"="c:\program files\Kuma Games\hcsystray\hc_tray.exe" [2006-11-01 30928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-23 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-25 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-04-14 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-18 113664]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoProp]
--a------ 2001-07-16 07:50 36864 c:\progra~1\MICROS~4\Office\bots\fp_wmp\regprop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 14:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 08:36 256576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 08:50 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-09-14 08:50 131072 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-23 18:13 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-26 21:42 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2005-08-31 13:14 1277952 c:\program files\Support.com\BellSouth\hcenter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-25 13:32 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intuit\\QuickBooks\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-04-25 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-04-25 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-04-25 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-04-25 231704]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ax88772.sys [2005-03-04 17920]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\DRIVERS\memcard.sys [2007-09-26 8320]
.
Contents of the 'Scheduled Tasks' folder
2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
2008-11-21 c:\windows\Tasks\Total Merchant Services Inc 1110980977.job
- c:\program files\Intuit\QuickBooks\AutoBackupEXE.exe [2008-10-22 17:44]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: MWOL &Dictionary - c:\windows\_MWOLTB.DLL/23/219
IE: MWOL &Thesaurus - c:\windows\_MWOLTB.DLL/23/220
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
IE: {670F87A1-88B0-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe
IE: {C4A67F75-88B2-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe
IE: {670F87A1-88B0-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe -
IE: {C4A67F75-88B2-11d4-9030-000021D9C559} - c:\program files\KMT Software\High Impact eMail 3.0\HIE3.exe -
c:\windows\Downloaded Program Files\mwolinstaller.dll - O16 -: {3CF32649-D1C0-4F42-AB44-ED284748920B}
hxxp://www.webster.com/toolbar/webinstall.cab
c:\windows\Downloaded Program Files\mwoltb.inf
c:\windows\system32\msstkprp.dll - c:\windows\system32\qbwoa12.tlb
c:\windows\Downloaded Program Files\QBMASSyncCom2_2003.ocx
O16 -: {C06C3EE1-9932-4BA2-8299-B23B1B480E89}
hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2003.cab
c:\windows\Downloaded Program Files\QBMASSyncCom2_2003.INF
c:\windows\Downloaded Program Files\installerAX.ini - c:\windows\Downloaded Program Files\installerAX.dll
O16 -: {E88D5B72-D64A-4CDB-A487-B6ADB2DC51AF}
hxxp://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
c:\windows\Downloaded Program Files\installerAX.inf
c:\windows\system32\qbwoa10.tlb - c:\windows\system32\msstkprp.dll
c:\windows\Downloaded Program Files\IntuitRecurPayCom.ocx
O16 -: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A}
hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
c:\windows\Downloaded Program Files\IntuitRecurPayCom.INF
c:\windows\system32\msstkprp.dll - c:\windows\system32\qbwoa10.tlb
c:\windows\Downloaded Program Files\QBMASSyncCom1.ocx
O16 -: {F8A9F96F-8375-4596-BD89-EEAE2781D810}
hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
c:\windows\Downloaded Program Files\QBMASSyncCom1.INF
FireFox -: Profile - c:\documents and settings\Todd Sumrall\Application Data\Mozilla\Firefox\Profiles\506lyvp7.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 19:39:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll
.
r Running Proce
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Dell\Bluetooth Software\bin\btwdins.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\java.exe
.
**************************************************************************
.
Completion time: 2008-12-04 19:44:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 01:44:27
ComboFix2.txt 2008-12-05 00:51:37
Pre-Run: 25,320,083,456 bytes free
Post-Run: 25,327,521,792 bytes free
245 --- E O F --- 2008-11-13 05:31:43

Hijackthis Log*********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:53 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Todd Sumrall\Desktop\AFF\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UBTBuddy] C:\Program Files\UBTBuddy\UBTBuddy.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra 'Tools' menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/h...
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.webster.com/toolbar/webi...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrows...
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pr...
O16 - DPF: {C06C3EE1-9932-4BA2-8299-B23B1B480E89} (QBMASSyncCom2_2003.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2003.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intuit.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {E88D5B72-D64A-4CDB-A487-B6ADB2DC51AF} (InstallerAX Class) - http://chevy.a.content.maven.net/mv...
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - C:\Program Files\ACT\actlink.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://www.dalejr.com/1024x768_dale...
O24 - Desktop Component 1: (no name) - http://www.dalejr.com/1024x768_budc...
--
End of file - 13217 bytes

Report Offensive Follow Up For Removal

Response Number 11

Name: totalprocessing.com
Date: December 4, 2008 at 18:20:02 Pacific

Reply:

I stumbled upon some information that pertains to exactly what happened to my computer just a few minutes ago while researching that Google\xtgoj6119471.exe
I thought you may want this for future refrence. Again I thank you for all the help. I sure thought I was going to have to reformat. This was a nasty bugger!!!
This is from:
http://www.myantispyware.com/2008/1...
How to remove Spyware.ISpynow (Fake Security Center Alert)
If you are seeing a Security Center Alert that is stating that Windows Firewall has blocked activity of harmful software, then you have become infected with a trojan that uses this Security Center Alert to trick you into purchasing Perfect Defender 2009 or another rogue antispyware program. Once running, this trojan will display a fake security center alerts that tells you:
Security Center Alert
To help protect your computer, Windows Firewall has blocked activity of harmful software.
Do you want to block this suspicious software?
Name: Spyware.ISpynow
Risk Level: High
Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
If you are clicking on the enable protection button, then opens up a site asking you to download rogue antispyware program (Perfect Defender 2009).

Symptoms in a HijackThis Log.
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [winhpdrv] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 - HKCU\..\Run: [HPseti] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
Note: where [RANDOM_NAME] is a runhh6110411.exe, ijdkq13324484.exe, xtgoj6119471.exe …
Use the following instructions to remove Spyware.ISpynow (fake Security Center Alert).
Right click the My computer icon.
Click Hardware Tab.
Click Device Manager.
In the top menu, click View and click Show Hidden Drivers.
Scroll down to non Plug and Play drivers.
Click + at left.
In the list of drivers right click TDSSserv.sys.
Click Disable.
Click YES for confirm.
Close all windows and reboot your computer.
Please download OTmoveIt3 by OldTimer from here. http://download.bleepingcomputer.co...
Run OTmoveIt3, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“SVCHOST.EXE”=-
“winhpdrv”=-
“HPseti”=-
“HPsetm”=-
:files
C:\WINDOWS\system32\drivers\svchost.exe
%UserProfile%\Application Data\Google\ijdkq13324484.exe
%UserProfile%\AppData\Roaming\Google\dvvm.exe
%UserProfile%\Application Data\Google\xtgoj6119471.exe
%UserProfile%\Google\runhh6110411.exe
When the tool is finished, it will produce a report for you.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select “Perform Quick Scan”, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

Report Offensive Follow Up For Removal

Response Number 12

Name: jabuck
Date: December 4, 2008 at 18:36:43 Pacific

Reply:

That is a Dell Support Center error. We have not removed any of its files. These are the loaders from the registry as seen on the Hijack This log.:
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
They are useless and can normally be turned off from msconfig. Just go to start> run> type in msconfig> click ok> startup tab> uncheck these two items by clicking the check mark to the left of them:
dscactivate
SupportSoft sprtcmd
Then click apply>ok. Restart the computer, you will be ask to accept the changes to msconfig, choose yes.
Run Hijack This and remove the two 04 entries from the Hijack This log if it tries to restart again.

Report Offensive Follow Up For Removal

Response Number 13

Name: jabuck
Date: December 4, 2008 at 18:41:57 Pacific

Reply:

Yes, good info, for a short while we thought they were exploiting the google toolbars to get into system ...I'm not 100% sure that is not happening.

Report Offensive Follow Up For Removal

Response Number 14

Name: totalprocessing.com
Date: December 4, 2008 at 18:59:10 Pacific

Reply:

I just want to thank you for all your help.
Todd

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: December 4, 2008 at 19:09:32 Pacific

Reply:

Glad we could help.

Report Offensive Follow Up For Removal

Response Number 16

Name: mas7967
Date: December 6, 2008 at 12:17:56 Pacific

Reply:

Hello, I have had the same problem you had, with all the pop-ups and hijacked home page and such. I got the homepage to go back to normal no problem, but on a reboot it came right back. I am working through all of these instructions right now in an attempt to fix the problem.
One thing I noticed was this virus came out of no where for me. I was doing nothing really, and I have never had a problem with viruses, the only program I keep on my computer to protect me is HijackThis, which I have been using for almost 5 years now.
When I first got the pop-up I was surfing the net, on a page I had never been on before but nothing out of the ordinary, it was just a webcomic.
You mentioned it could have come in through an old version of Java (I definitely am guilty of having an old version). But I also noticed that the day I got this virus it coincided with FlashGet, a download manager I use, suddenly failing at everything. I try to download a file and it starts and then just closes itself after about ten seconds. I update Flashget on a regular basis and have been using it over a year with no problems. I tried installing the latest update, uninstalling the entire thing and reinstalling a fresh copy, no help, still has the same problem.
Is it possible that the virus somehow used flashget to get in? It is a download manager and I may have been downloading files at the time, I can't remember. It also has a browser plugin called Flashgot, which I also use and have installed?
Any thoughts?
Thanks, JB

Report Offensive Follow Up For Removal

Response Number 17

Name: totalprocessing.com
Date: December 6, 2008 at 14:42:27 Pacific

Reply:

It appears to get into your computer from watching videos. It exploits Adobe Flash Video Players. That is the conclusion I came to from all the stuff I read about it, once my computer was fixed.

Report Offensive Follow Up For Removal

Rustock.c, sorry guys