Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJackThis Analyst required - before I go insane

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HiJackThis Analyst required - before I go insane

Unread postby stoked » December 8th, 2008, 1:17 am

Hi,

Firstly thanks to whoever gets to work on this one. I seem to have been infected (and I feel like its actually me :pale: ) with virtumonde... Well I have been as all the anti ?ware programs tell me that I have been and yet none of them seem to be able to get rid of it. I get that its loaded itself into memory and its a TSR program and it can't be removed until after a reboot - but how do you get to actually remove it before it loads itself into memory and becomes unremovable again??? I've tried spyware doctor (v5.5), spyhunter which now crashes, XoftSpySe, and SpyBot - I run Avast 4 (free version) and it didn't catch it before it infected my laptop.... It wasn't until some research on how to remove malware that I came across HJT and this forum - so kudo's out to you all for such a great service. Anyway i could ramble on for awhile about how I'd really hate to have to rebuild the laptop, how I hate malware, but we've all heard it all before....

Here's my HJT log - hope you can help????

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03:07, on 08/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\fullystoked user\My Documents\john\downloads\hjt\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client= ... bd=6070629
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default ... l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client= ... bd=6070629
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {57626852-ca4d-43c8-aef4-50c317301540} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7cff25e2-bcc1-4e5c-850b-9df045014d58} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {f3134399-780e-4820-9690-95bc56b5e958} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CPMe3f67605] Rundll32.exe "c:\windows\system32\sijupuwu.dll",a
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [e0c54599] rundll32.exe "C:\WINDOWS\system32\suzisuha.dll",b
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [selezupeda] Rundll32.exe "C:\WINDOWS\system32\nipavuyo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [selezupeda] Rundll32.exe "C:\WINDOWS\system32\nipavuyo.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\fullystoked user\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\perosaro.dll c:\windows\system32\wiyirive.dll C:\WINDOWS\system32\gomebomu.dll c:\windows\system32\yekoyafa.dll c:\windows\system32\dipoveya.dll C:\WINDOWS\system32\nipavuyo.dll c:\windows\system32\pidokobo.dll c:\windows\system32\sijupuwu.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sijupuwu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sijupuwu.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - c:/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14039 bytes
stoked
Active Member
 
Posts: 7
Joined: December 8th, 2008, 12:44 am
Advertisement
Register to Remove

Re: HiJackThis Analyst required - before I go insane

Unread postby Bob4 » December 11th, 2008, 8:28 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!


  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!




______________________________________________
Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: HiJackThis Analyst required - before I go insane

Unread postby stoked » December 11th, 2008, 11:47 pm

HI,

First thanks for your help - its greatly appreciated. here are the log files requested.

ComboFix

ComboFix 08-12-11.04 - fullystoked user 2008-12-12 14:38:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1310 [GMT 11:00]
Running from: c:\documents and settings\fullystoked user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\fullystoked user\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-12 14:30 . 2008-12-12 14:30 <DIR> d-------- c:\windows\LastGood
2008-12-09 16:47 . 2008-12-09 16:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-09 16:47 . 2008-12-09 16:47 <DIR> d-------- c:\documents and settings\fullystoked user\Application Data\Malwarebytes
2008-12-09 16:47 . 2008-12-09 16:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-09 16:47 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-09 16:47 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-09 16:44 . 2008-12-09 16:44 <DIR> d-------- C:\!KillBox
2008-12-07 17:01 . 2008-12-09 21:37 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-05 12:17 . 2008-12-05 12:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Talkback
2008-12-05 11:15 . 2008-12-05 11:15 <DIR> d-------- C:\VundoFix Backups
2008-12-04 13:49 . 2008-12-09 19:36 <DIR> d-------- c:\program files\XoftSpySE
2008-12-03 15:05 . 2008-12-03 15:05 <DIR> d-------- c:\program files\Lavasoft
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-03 11:50 . 2008-12-03 12:07 <DIR> d-------- c:\program files\Spybot
2008-12-03 11:50 . 2008-12-03 14:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 11:27 . 2008-12-09 19:35 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 09:39 . 2008-12-01 09:38 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 09:31 . 2008-09-05 04:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 09:31 . 2008-10-24 22:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 05:41 --------- d-----w c:\program files\Norton Security Scan
2008-12-04 03:04 --------- d-----w c:\program files\AOL 7.0
2008-11-30 22:38 --------- d-----w c:\program files\Java
2008-11-30 05:06 --------- d-----w c:\documents and settings\fullystoked user\Application Data\IMVU
2008-11-22 03:35 --------- d-----w c:\documents and settings\fullystoked user\Application Data\IMVUClient
2008-11-14 08:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-12 07:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 03:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 03:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2007-12-12 03:10 61,480 ----a-w c:\documents and settings\fullystoked user\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-12_14.32.33.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-12 03:34:36 8,186 ----a-w c:\windows\SoftwareDistribution\EventCache\{E5D67519-2AFA-479B-A927-62F686211287}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-06-29 26112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-29 236544]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"e0c54599"="c:\windows\system32\suzisuha.dll" [BU]
"PMX Daemon"="ICO.EXE" [2007-03-08 c:\windows\system32\ico.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [2007-06-29 32842]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-06-29 24576]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-12-03 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-12 13:09 10792 c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\system32\\searchindexer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-04 111184]
R2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice [2007-12-21 17920]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-04 20560]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service []
R3 pmxmouse;PMXMOUSE;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-07-05 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-07-05 14336]
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{57626852-ca4d-43c8-aef4-50c317301540} - (no file)
BHO-{7cff25e2-bcc1-4e5c-850b-9df045014d58} - (no file)
BHO-{f3134399-780e-4820-9690-95bc56b5e958} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com.au
uInternet Connection Wizard,ShellNext = hxxp://www.google.com.au/ig/dell?hl=en& ... bd=6070629
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\fullystoked user\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\fullystoked user\Start Menu\Programs\IMVU\Run IMVU.lnk -
FF - ProfilePath - c:\documents and settings\fullystoked user\Application Data\Mozilla\Firefox\Profiles\yzl8m65l.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 14:40:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-12 14:43:06
ComboFix-quarantined-files.txt 2008-12-12 03:41:49

Pre-Run: 87,220,314,112 bytes free
Post-Run: 87,198,588,928 bytes free

204 --- E O F --- 2008-11-12 07:16:58


and the new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:04, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\fullystoked user\My Documents\john\downloads\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client= ... bd=6070629
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {57626852-ca4d-43c8-aef4-50c317301540} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7cff25e2-bcc1-4e5c-850b-9df045014d58} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {f3134399-780e-4820-9690-95bc56b5e958} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [e0c54599] rundll32.exe "C:\WINDOWS\system32\suzisuha.dll",b
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\fullystoked user\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - c:/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12498 bytes


I did have some intital problem getting comboFix to work - more ikely a newbie problem - didn't read the instructions properly. So I hope this is what you were after.

regards

stoked
stoked
Active Member
 
Posts: 7
Joined: December 8th, 2008, 12:44 am

Re: HiJackThis Analyst required - before I go insane

Unread postby Bob4 » December 12th, 2008, 8:26 am

you wrote:I did have some intital problem getting comboFix to work - more ikely a newbie problem - didn't read the instructions properly. So I hope this is what you were after.


PLEASE! This is a powerfull tool and used improperly can harm the workings of your system! Take the extra time to read through instructions carefully for your own benifit.

I can see you had to run combfix twice. This tool doesn't miss much. :lol:
I do need to see if there is a log of the first run.

Navigate to C:\Qoobox\ look for a combofix.txt log in there and post the contents of that one.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: HiJackThis Analyst required - before I go insane

Unread postby stoked » December 12th, 2008, 9:48 pm

HI,

Sorry about that. I've posted the contents of the following file. I couldn't see a comboFix.txt file.

The file is c:\Qoobox\ComboFix-quarantined-files.txt - contents follow:

2007-06-29 12:57:00 A------- 5,505 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2007-06-29 12:57:00 A------- 6,684 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-12-12 12:20:45 A------- 216 C:\Qoobox\Quarantine\catchme.log
2008-12-12 14:21:05 A------- 8,087 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-12-12 14:32:34 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-12-12 14:32:34 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-12-12 14:32:34 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-12-12 14:32:37 A------- 157 C:\Qoobox\Quarantine\Registry_backups\BHO-{57626852-ca4d-43c8-aef4-50c317301540}.reg.dat
2008-12-12 14:32:37 A------- 157 C:\Qoobox\Quarantine\Registry_backups\BHO-{7cff25e2-bcc1-4e5c-850b-9df045014d58}.reg.dat
2008-12-12 14:32:37 A------- 157 C:\Qoobox\Quarantine\Registry_backups\BHO-{f3134399-780e-4820-9690-95bc56b5e958}.reg.dat
2008-12-12 14:32:39 A------- 149 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-e0c54599.reg.dat

Thanks again for your help.

stoked
stoked
Active Member
 
Posts: 7
Joined: December 8th, 2008, 12:44 am

Re: HiJackThis Analyst required - before I go insane

Unread postby Bob4 » December 13th, 2008, 7:42 am

I'm sorry I should have been more specific.
Please look for c:/qoobox/ComboFix2.txt
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: HiJackThis Analyst required - before I go insane

Unread postby stoked » December 13th, 2008, 7:50 am

Hi again,

Sorry but there is no ComboFix2.txt file in the c:\qoobox directory only the following files;

Add-Remove Programs.txt
ComboFix-quarantined-files.txt
snapshot@2008-12-12_14.32.33.70.dat
snapshot@2008-12-12_14.32.33.70_B.dat

and directories;

BackEnv
Quarantine


thanks
stoked
Active Member
 
Posts: 7
Joined: December 8th, 2008, 12:44 am

Re: HiJackThis Analyst required - before I go insane

Unread postby Bob4 » December 13th, 2008, 9:05 am

Thanks for looking. Just wanted to be sure I don't miss anything if I can help it. :mrgreen:


___________________________________
DISABLE TEA TIMER

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.





______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {57626852-ca4d-43c8-aef4-50c317301540} - (no file)
O2 - BHO: (no name) - {7cff25e2-bcc1-4e5c-850b-9df045014d58} - (no file)
O2 - BHO: (no name) - {f3134399-780e-4820-9690-95bc56b5e958} - (no file)

O4 - HKLM\..\Run: [e0c54599] rundll32.exe "C:\WINDOWS\system32\suzisuha.dll",b
O4 - Global Startup: Digital Line Detect.lnk = ?

Close that.




________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
 
File:: 
C:\WINDOWS\system32\suzisuha.dll
Registry:: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e0c54599"=-


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.





_________________________________
I see you have Malwarebytes installed and I'm sure you ran it but let's update it and try again.

  • Open Malwarebytes program
  • Click on updates.
  • If an update is found, it will download and install the latest version.
  • If it has trouble updating try clicking on update Mirror ( under the check for updates box) and try updating again.
  • Once the program has updated, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the contents of that log.

If you accidentally close it you may find it here.
Start -> All Programs -> Malwarebytes' Anti-Malware -> Logs




_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Combofix
  • The report from Malwarebytes Anti-Malware
  • How do things seem to be running ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: HiJackThis Analyst required - before I go insane

Unread postby stoked » December 14th, 2008, 5:47 am

Hi,

you are a legend :king: .... Many thanks for your efforts - logs as requested..

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:32, on 14/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\fullystoked user\My Documents\john\downloads\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client= ... bd=6070629
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\fullystoked user\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4EBE12F-B219-48EA-8A28-8B22DC615699}: NameServer = 202.55.145.2 202.55.145.10
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - c:/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12012 bytes


ComboFix

ComboFix 08-12-11.04 - fullystoked user 2008-12-14 19:02:32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247 [GMT 11:00]
Running from: c:\documents and settings\fullystoked user\My Documents\john\downloads\ComboFix.exe
Command switches used :: c:\documents and settings\fullystoked user\My Documents\john\downloads\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\suzisuha.dll
.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-09 16:47 . 2008-12-09 16:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-09 16:47 . 2008-12-09 16:47 <DIR> d-------- c:\documents and settings\fullystoked user\Application Data\Malwarebytes
2008-12-09 16:47 . 2008-12-09 16:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-09 16:47 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-09 16:47 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-09 16:44 . 2008-12-09 16:44 <DIR> d-------- C:\!KillBox
2008-12-07 17:01 . 2008-12-09 21:37 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-05 12:17 . 2008-12-05 12:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Talkback
2008-12-05 11:15 . 2008-12-05 11:15 <DIR> d-------- C:\VundoFix Backups
2008-12-04 13:49 . 2008-12-09 19:36 <DIR> d-------- c:\program files\XoftSpySE
2008-12-03 15:05 . 2008-12-03 15:05 <DIR> d-------- c:\program files\Lavasoft
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-03 11:55 . 2008-12-03 11:55 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-03 11:50 . 2008-12-03 12:07 <DIR> d-------- c:\program files\Spybot
2008-12-03 11:50 . 2008-12-03 14:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 11:27 . 2008-12-09 19:35 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 09:39 . 2008-12-01 09:38 410,976 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 05:59 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 05:41 --------- d-----w c:\program files\Norton Security Scan
2008-12-04 03:04 --------- d-----w c:\program files\AOL 7.0
2008-11-30 22:38 --------- d-----w c:\program files\Java
2008-11-30 05:06 --------- d-----w c:\documents and settings\fullystoked user\Application Data\IMVU
2008-11-22 03:35 --------- d-----w c:\documents and settings\fullystoked user\Application Data\IMVUClient
2008-11-14 08:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-12-12 03:10 61,480 ----a-w c:\documents and settings\fullystoked user\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-12_14.32.33.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-12 07:16:55 20,240 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-12-12 05:59:53 20,240 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-11-12 07:16:55 217,864 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\misc.exe
+ 2008-12-12 05:59:54 217,864 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-12 07:16:55 18,704 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-12-12 05:59:53 18,704 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-12 07:16:55 35,088 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-12-12 05:59:54 35,088 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-12 07:16:55 845,584 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-12-12 05:59:53 845,584 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\outicon.exe
- 2008-11-12 07:16:55 888,080 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-12-12 05:59:54 888,080 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-11-12 07:16:55 1,172,240 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-12-12 05:59:53 1,172,240 ----a-r c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-10-23 12:36:14 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
+ 2008-06-17 14:09:22 100,864 ------w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:30:53 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-16 01:00:11 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-20 05:30:51 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
- 2008-04-14 00:12:07 246,814 ------w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-20 05:30:52 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 01:00:11 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:30:51 666,112 ------w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 01:00:11 666,112 ------w c:\windows\system32\dllcache\wininet.dll
+ 2008-06-17 18:03:08 938,496 ------w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-18 11:47:22 2,450,944 ------w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-17 18:03:14 2,458,112 ------w c:\windows\system32\dllcache\WMVCore.dll
- 2008-04-14 00:11:54 285,184 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\system32\gdi32.dll
- 2006-10-18 10:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-17 14:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-12-09 04:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:30:53 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-20 05:30:51 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:07 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-04-14 00:12:38 60,416 ------w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ------w c:\windows\system32\tzchange.exe
- 2008-08-20 05:30:52 619,520 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 01:00:11 619,520 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:30:51 666,112 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 01:00:11 666,112 ----a-w c:\windows\system32\wininet.dll
- 2006-10-18 11:47:20 937,984 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-17 18:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-18 11:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-17 18:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
+ 2008-12-14 08:08:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_520.dat
+ 2008-12-14 08:09:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_d94.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-06-29 26112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-29 236544]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"PMX Daemon"="ICO.EXE" [2007-03-08 c:\windows\system32\ico.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [2007-06-29 32842]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-12-03 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-12 13:09 10792 c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"e0c54599"=rundll32.exe "c:\windows\system32\suzisuha.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\system32\\searchindexer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-04 111184]
R2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice [2007-12-21 17920]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-04 20560]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service []
R3 pmxmouse;PMXMOUSE;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-07-05 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-07-05 14336]
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com.au
uInternet Connection Wizard,ShellNext = hxxp://www.google.com.au/ig/dell?hl=en& ... bd=6070629
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\fullystoked user\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\fullystoked user\Start Menu\Programs\IMVU\Run IMVU.lnk -
FF - ProfilePath - c:\documents and settings\fullystoked user\Application Data\Mozilla\Firefox\Profiles\yzl8m65l.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 19:08:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\combofix\hidec.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\pmxmiced.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcxcoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld-nt.exe
c:\windows\system32\UStorSrv.exe
c:\windows\system32\searchindexer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\combofix\Catchme.tmp
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-12-14 19:16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 08:15:15
ComboFix2.txt 2008-12-12 03:43:08

Pre-Run: 87,041,822,720 bytes free
Post-Run: 87,007,342,592 bytes free

259 --- E O F --- 2008-12-12 05:59:57


MalwareByte's

Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 3

14/12/2008 20:39:21
mbam-log-2008-12-14 (20-39-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 212465
Time elapsed: 59 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Again many thanks..... I can't imagine the hassle you've saved me and i appreciate your patience... ;)

Have the best Xmas and New Year!!!

cheers

stoked.
stoked
Active Member
 
Posts: 7
Joined: December 8th, 2008, 12:44 am

Re: HiJackThis Analyst required - before I go insane

Unread postby Bob4 » December 14th, 2008, 6:28 am

Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.






___________________________________
The following will implement some cleanup procedures for the tool we used as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u









A few things to help with possible threats

These are optional . But will help protect you further.
and
ASome of these you may already have.




________________________________________
Windows Updates
Be certain automatic updates is turned on for XP. - For Vista Or if you like to do it manually be sure to visit http://update.microsoft.com/ regularly. This requires internet explorer to do so.

This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Browser settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.


Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.


___________________________________
If your anything like me you should be mad these people have done this to you.
Please take the time to tell us what you would like to be done to these idiots!
We can only get something done about this if the people that we help, like you, are prepared to complain.
We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.

The infections you had was Vundo


Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: HiJackThis Analyst required - before I go insane

Unread postby stoked » December 14th, 2008, 6:59 am

Hi,

Again thanks ever so much for your assistance. I'll be sure to implement the recommendations you outlined.

cheers

stoked
stoked
Active Member
 
Posts: 7
Joined: December 8th, 2008, 12:44 am

Re: HiJackThis Analyst required - before I go insane

Unread postby NonSuch » December 15th, 2008, 12:24 am

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27305
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware