Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Hijack this log -- malicious malaware must die!!

[Fixed] Hijackthis! Logs - Hijack this log -- malicious malaware must die!! posted in the Security & Safety forums; Okay, took me a while (had to download Combofix at work and save it to my external hard drive, because I still can't access those links on my home PC), ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 2 of 5 < 1 2 3 4 5 >
  #8  
Old 11-10-2007
Bronze Member
  
Join Date: Nov 2007
Posts: 26
PC Experience: PC Illiterate
perfectpawn - See this Members User comments on their Profile page
Default Re: Hijack this log -- malicious malaware must die!!
Okay, took me a while (had to download Combofix at work and save it to my external hard drive, because I still can't access those links on my home PC), but here it is!

Here is the combofix log:

ComboFix 07-11-08.1 - Joe 2007-11-10 0:06:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.555 [GMT -6:00]
Running from: C:\Documents and Settings\Joe\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Joe\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Leanne\Application Data\.rdr.ini
C:\Documents and Settings\Leanne\Desktop\searchus.exe
C:\Documents and Settings\Leanne\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Leanne\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\LocalService\Desktop\searchus.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini
C:\Documents and Settings\NetworkService\Desktop\searchus.exe
C:\Documents and Settings\TEST\Application Data\.rdr.ini
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\m?hta.exe
C:\Program Files\Common Files\rybiv.dll
C:\Program Files\Common Files\vikok.html
C:\Program Files\fnts~1
C:\Program Files\fnts~1\F?nts\
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\aedkxtnh.exe
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\cbxywvt.dll
C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\cfhkj.tmp
C:\WINDOWS\system32\config\systemprofile\applicati on data\.rdr.ini
C:\WINDOWS\system32\cvuotsgx.exe
C:\WINDOWS\system32\fpkuncxd.exe
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G1\kmhp83122.exe
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G11\z553.exe
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G3\wr725.exe
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\hmqyaopv.exe
C:\WINDOWS\system32\iilthtsy.exe
C:\WINDOWS\system32\ijotoacq.exe
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\pvqlkjji.exe
C:\WINDOWS\system32\slnfoyig.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\amwr.exe
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wskawcld.exe
C:\WINDOWS\system32\yiuglqpr.exe
C:\WINDOWS\system32\yuecavgr.exe
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uni_eh44.exe
C:\WINDOWS\uninst1014.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService
-------\Net Agent

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.
2007-11-10 00:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 23:59 85,056 --a------ C:\WINDOWS\system32\cgmbeyae.dll
2007-11-09 23:56 81,472 --a------ C:\WINDOWS\system32\hpmghloo.dll
2007-11-09 23:53 71,232 --a------ C:\WINDOWS\system32\qyrepmyr.exe
2007-11-09 23:51 71,232 --a------ C:\WINDOWS\system32\wmrrroqn.exe
2007-11-09 23:30 81,472 --a------ C:\WINDOWS\system32\sdmgnejd.dll
2007-11-09 23:21 71,232 --a------ C:\WINDOWS\system32\eukpqigh.exe
2007-11-09 23:19 71,232 --a------ C:\WINDOWS\system32\eurecqbu.exe
2007-11-09 01:43 77,888 --a------ C:\WINDOWS\system32\yclvvgof.dll
2007-11-09 01:40 71,232 --a------ C:\WINDOWS\system32\pqlchfvy.exe
2007-11-09 01:38 88,128 --a------ C:\WINDOWS\system32\rlivalvy.dll
2007-11-09 01:38 71,232 --a------ C:\WINDOWS\system32\uothtrra.exe
2007-11-09 01:37 71,232 --a------ C:\WINDOWS\system32\fyndkvfx.exe
2007-11-08 21:25 80,448 --a------ C:\WINDOWS\system32\goutsqnh.dll
2007-11-08 21:25 71,232 --a------ C:\WINDOWS\system32\ewhcovwk.exe
2007-11-08 20:08 <DIR> d-------- C:\quarantine
2007-11-08 19:42 80,448 --a------ C:\WINDOWS\system32\ssjjqjnr.dll
2007-11-08 19:42 71,232 --a------ C:\WINDOWS\system32\yfujaowy.exe
2007-11-08 19:33 80,448 --a------ C:\WINDOWS\system32\axgslpip.dll
2007-11-08 19:30 71,232 --a------ C:\WINDOWS\system32\eyjidrbh.exe
2007-11-08 02:05 80,448 --a------ C:\WINDOWS\system32\lsuthdkr.dll
2007-11-08 02:05 71,232 --a------ C:\WINDOWS\system32\pscwasog.exe
2007-11-08 02:03 80,448 --a------ C:\WINDOWS\system32\lcjjwwxw.dll
2007-11-08 02:03 71,232 --a------ C:\WINDOWS\system32\sdlwfkea.exe
2007-11-07 22:40 79,936 --a------ C:\WINDOWS\system32\nlwokpdo.dll
2007-11-07 22:34 71,232 --a------ C:\WINDOWS\system32\owrdkupp.exe
2007-11-07 22:31 71,232 --a------ C:\WINDOWS\system32\lrvklcjh.exe
2007-11-07 21:27 79,936 --a------ C:\WINDOWS\system32\lnmkissf.dll
2007-11-07 21:24 71,232 --a------ C:\WINDOWS\system32\shdgwbpu.exe
2007-11-07 21:22 71,232 --a------ C:\WINDOWS\system32\egcomrka.exe
2007-11-07 18:13 79,936 --a------ C:\WINDOWS\system32\bhexgqca.dll
2007-11-07 18:09 71,232 --a------ C:\WINDOWS\system32\buofbdnf.exe
2007-11-07 18:08 71,232 --a------ C:\WINDOWS\system32\pfgmuhfv.exe
2007-11-07 01:29 79,936 --a------ C:\WINDOWS\system32\jjnxgosq.dll
2007-11-07 01:26 71,232 --a------ C:\WINDOWS\system32\iwgkpyoc.exe
2007-11-07 01:25 71,232 --a------ C:\WINDOWS\system32\miaihqmu.exe
2007-11-04 23:33 83,008 --a------ C:\WINDOWS\system32\xxfovirf.dll
2007-11-04 23:29 <DIR> d-------- C:\PLANET TERROR
2007-11-04 14:35 78,912 --a------ C:\WINDOWS\system32\hgsocltg.dll
2007-11-04 13:10 78,912 --a------ C:\WINDOWS\system32\fohfkmxt.dll
2007-11-04 11:20 78,912 --a------ C:\WINDOWS\system32\wyqyvqwk.dll
2007-11-03 23:28 78,912 --a------ C:\WINDOWS\system32\kgfrgkex.dll
2007-11-03 20:14 81,472 --a------ C:\WINDOWS\system32\uhcltgas.dll
2007-11-03 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 19:52 <DIR> d-------- C:\Program Files\hijack this
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-09 01:35 246 ----a-w C:\Program Files\Common Files\rybiv
2007-02-10 05:56 491,768 ----a-w C:\Program Files\ie6setup.exe
2007-03-19 01:41:21 152 --sh--r C:\WINDOWS\system32\987C99206F.sys
2007-03-19 01:41:28 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TGVhbm5l\n3p1vAc5.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F0E516C-363E-4197-BB60-C4502C7F021A}]
C:\Program Files\Windows NT\nipycakus4.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C1D6AFB-A51B-FFEE-1C13-FE8DC92687C5}]
2007-06-20 08:49 60928 --a------ C:\WINDOWS\system32\knj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E0B6435-BCA5-4566-8EA0-2DB90D767FB1}]
2007-08-02 07:43 282624 --a------ C:\Program Files\Windows NT\nipycakus4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A51225C-C3FC-4E5C-9C9E-740090EBE251}]
2007-06-14 05:54 163840 --a------ C:\Program Files\Windows NT\nipycakus83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a326496c-40d2-4783-8101-8af008e59445}]
2007-11-09 23:56 81472 --a------ C:\WINDOWS\system32\hpmghloo.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.e xe" [2005-09-08 19:20]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 08:48]
"zgvnwxkA"="C:\WINDOWS\zgvnwxkA.exe" []
"{8C-CC-CF-F4-ZN}"="C:\windows\system32\nndsregp.exe" []
"sgzkklfA"="C:\WINDOWS\sgzkklfA.exe" []
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 19:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-09 18:35]
"7ce8cc5b"="C:\WINDOWS\system32\cgmbeyae.dll" [2007-11-09 23:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\F lash\GetFlash.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 18:49 24672 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingsa32]
wingsa32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wufq]
C:\PROGRA~1\COMMON~1\wufq\wufqm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zgvnwxkA]
C:\WINDOWS\zgvnwxkA.exe
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mv stdi5x.sys
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 09:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
.
************************************************** ************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 00:26:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-11-10 0:27:58 - machine was rebooted
.
--- E O F ---

And here is the HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:45 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Pottery Barn | Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Learn about Dell's notebooks, desktops, monitors, printers plus computer electronics & accessories.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Learn about Dell's notebooks, desktops, monitors, printers plus computer electronics & accessories.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F0E516C-363E-4197-BB60-C4502C7F021A} - C:\Program Files\Windows NT\nipycakus4.dll (file missing)
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6C1D6AFB-A51B-FFEE-1C13-FE8DC92687C5} - C:\WINDOWS\system32\knj.dll
O2 - BHO: (no name) - {7E0B6435-BCA5-4566-8EA0-2DB90D767FB1} - C:\Program Files\Windows NT\nipycakus4444.dll
O2 - BHO: (no name) - {8A51225C-C3FC-4E5C-9C9E-740090EBE251} - C:\Program Files\Windows NT\nipycakus83122.dll
O2 - BHO: {54495e80-0fa8-1018-3874-2d04c694623a} - {a326496c-40d2-4783-8101-8af008e59445} - C:\WINDOWS\system32\hpmghloo.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [zgvnwxkA] C:\WINDOWS\zgvnwxkA.exe
O4 - HKLM\..\Run: [{8C-CC-CF-F4-ZN}] C:\windows\system32\nndsregp.exe SKY009
O4 - HKLM\..\Run: [sgzkklfA] C:\WINDOWS\sgzkklfA.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [7ce8cc5b] rundll32.exe "C:\WINDOWS\system32\cgmbeyae.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77D49E22-DBBD-468B-B1B1-DABCAEE0A956}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D8E9C29-BEC2-40CB-8C60-312E3066944D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9446425-03A5-407D-BF2E-C9ADFC0FA0C8}: NameServer = 194.54.90.226
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
--
End of file - 8673 bytes

Please let me know how to proceed, and thanks again!!
  #9  
Old 11-10-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,592
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Hijack this log -- malicious malaware must die!!
This will take a bit of sorting as there are a lot of files to remove.I will get back with the next step in about 15 hours..


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #10  
Old 11-10-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,592
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Hijack this log -- malicious malaware must die!!
Ok.The start of the cleanup...


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::
File::
C:\WINDOWS\system32\cgmbeyae.dll
C:\WINDOWS\system32\hpmghloo.dll
C:\WINDOWS\system32\qyrepmyr.exe
C:\WINDOWS\system32\wmrrroqn.exe
C:\WINDOWS\system32\sdmgnejd.dll
C:\WINDOWS\system32\eukpqigh.exe
C:\WINDOWS\system32\eurecqbu.exe
C:\WINDOWS\system32\yclvvgof.dll
C:\WINDOWS\system32\pqlchfvy.exe
C:\WINDOWS\system32\rlivalvy.dll
C:\WINDOWS\system32\uothtrra.exe
C:\WINDOWS\system32\fyndkvfx.exe
C:\WINDOWS\system32\goutsqnh.dll
C:\WINDOWS\system32\ewhcovwk.exe
C:\WINDOWS\system32\ssjjqjnr.dll
C:\WINDOWS\system32\yfujaowy.exe
C:\WINDOWS\system32\axgslpip.dll
C:\WINDOWS\system32\eyjidrbh.exe
C:\WINDOWS\system32\lsuthdkr.dll
C:\WINDOWS\system32\pscwasog.exe
C:\WINDOWS\system32\lcjjwwxw.dll
C:\WINDOWS\system32\sdlwfkea.exe
C:\WINDOWS\system32\nlwokpdo.dll
C:\WINDOWS\system32\owrdkupp.exe
C:\WINDOWS\system32\lrvklcjh.exe
C:\WINDOWS\system32\lnmkissf.dll
C:\WINDOWS\system32\shdgwbpu.exe
C:\WINDOWS\system32\egcomrka.exe
C:\WINDOWS\system32\bhexgqca.dll
C:\WINDOWS\system32\buofbdnf.exe
C:\WINDOWS\system32\pfgmuhfv.exe
C:\WINDOWS\system32\jjnxgosq.dll
C:\WINDOWS\system32\iwgkpyoc.exe
C:\WINDOWS\system32\miaihqmu.exe
C:\WINDOWS\system32\xxfovirf.dll
C:\WINDOWS\system32\hgsocltg.dll
C:\WINDOWS\system32\fohfkmxt.dll
C:\WINDOWS\system32\wyqyvqwk.dll
C:\WINDOWS\system32\kgfrgkex.dll
C:\WINDOWS\system32\uhcltgas.dll
C:\Program Files\Windows NT\nipycakus4.dll
C:\WINDOWS\system32\knj.dll
C:\Program Files\Windows NT\nipycakus4444.dll
C:\Program Files\Windows NT\nipycakus83122.dll
C:\WINDOWS\retadpu1000106.exe


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F0E516C-363E-4197-BB60-C4502C7F021A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C1D6AFB-A51B-FFEE-1C13-FE8DC92687C5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E0B6435-BCA5-4566-8EA0-2DB90D767FB1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A51225C-C3FC-4E5C-9C9E-740090EBE251}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a326496c-40d2-4783-8101-8af008e59445}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"zgvnwxkA"=-
"{8C-CC-CF-F4-ZN}"=-
"sgzkklfA"=-
"7ce8cc5b"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingsa32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zgvnwxkA]
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #11  
Old 11-15-2007
Bronze Member
  
Join Date: Nov 2007
Posts: 26
PC Experience: PC Illiterate
perfectpawn - See this Members User comments on their Profile page
Default Re: Hijack this log -- malicious malaware must die!!
Thanks again for your help!

Here's the Combofix log:

ComboFix 07-11-08.1 - Joe 2007-11-14 19:34:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.641 [GMT -6:00]
Running from: C:\Documents and Settings\Joe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joe\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Program Files\Windows NT\nipycakus4.dll
C:\Program Files\Windows NT\nipycakus4444.dll
C:\Program Files\Windows NT\nipycakus83122.dll
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\system32\axgslpip.dll
C:\WINDOWS\system32\bhexgqca.dll
C:\WINDOWS\system32\buofbdnf.exe
C:\WINDOWS\system32\cgmbeyae.dll
C:\WINDOWS\system32\egcomrka.exe
C:\WINDOWS\system32\eukpqigh.exe
C:\WINDOWS\system32\eurecqbu.exe
C:\WINDOWS\system32\ewhcovwk.exe
C:\WINDOWS\system32\eyjidrbh.exe
C:\WINDOWS\system32\fohfkmxt.dll
C:\WINDOWS\system32\fyndkvfx.exe
C:\WINDOWS\system32\goutsqnh.dll
C:\WINDOWS\system32\hgsocltg.dll
C:\WINDOWS\system32\hpmghloo.dll
C:\WINDOWS\system32\iwgkpyoc.exe
C:\WINDOWS\system32\jjnxgosq.dll
C:\WINDOWS\system32\kgfrgkex.dll
C:\WINDOWS\system32\knj.dll
C:\WINDOWS\system32\lcjjwwxw.dll
C:\WINDOWS\system32\lnmkissf.dll
C:\WINDOWS\system32\lrvklcjh.exe
C:\WINDOWS\system32\lsuthdkr.dll
C:\WINDOWS\system32\miaihqmu.exe
C:\WINDOWS\system32\nlwokpdo.dll
C:\WINDOWS\system32\owrdkupp.exe
C:\WINDOWS\system32\pfgmuhfv.exe
C:\WINDOWS\system32\pqlchfvy.exe
C:\WINDOWS\system32\pscwasog.exe
C:\WINDOWS\system32\qyrepmyr.exe
C:\WINDOWS\system32\rlivalvy.dll
C:\WINDOWS\system32\sdlwfkea.exe
C:\WINDOWS\system32\sdmgnejd.dll
C:\WINDOWS\system32\shdgwbpu.exe
C:\WINDOWS\system32\ssjjqjnr.dll
C:\WINDOWS\system32\uhcltgas.dll
C:\WINDOWS\system32\uothtrra.exe
C:\WINDOWS\system32\wmrrroqn.exe
C:\WINDOWS\system32\wyqyvqwk.dll
C:\WINDOWS\system32\xxfovirf.dll
C:\WINDOWS\system32\yclvvgof.dll
C:\WINDOWS\system32\yfujaowy.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Windows NT\nipycakus4444.dll
C:\Program Files\Windows NT\nipycakus83122.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\axgslpip.dll
C:\WINDOWS\system32\bhexgqca.dll
C:\WINDOWS\system32\buofbdnf.exe
C:\WINDOWS\system32\cgmbeyae.dll
C:\WINDOWS\system32\egcomrka.exe
C:\WINDOWS\system32\eukpqigh.exe
C:\WINDOWS\system32\eurecqbu.exe
C:\WINDOWS\system32\ewhcovwk.exe
C:\WINDOWS\system32\eyjidrbh.exe
C:\WINDOWS\system32\fohfkmxt.dll
C:\WINDOWS\system32\fyndkvfx.exe
C:\WINDOWS\system32\goutsqnh.dll
C:\WINDOWS\system32\hgsocltg.dll
C:\WINDOWS\system32\hpmghloo.dll
C:\WINDOWS\system32\iwgkpyoc.exe
C:\WINDOWS\system32\jjnxgosq.dll
C:\WINDOWS\system32\kgfrgkex.dll
C:\WINDOWS\system32\knj.dll
C:\WINDOWS\system32\lcjjwwxw.dll
C:\WINDOWS\system32\lnmkissf.dll
C:\WINDOWS\system32\lrvklcjh.exe
C:\WINDOWS\system32\lsuthdkr.dll
C:\WINDOWS\system32\miaihqmu.exe
C:\WINDOWS\system32\nlwokpdo.dll
C:\WINDOWS\system32\owrdkupp.exe
C:\WINDOWS\system32\pfgmuhfv.exe
C:\WINDOWS\system32\pqlchfvy.exe
C:\WINDOWS\system32\pscwasog.exe
C:\WINDOWS\system32\qyrepmyr.exe
C:\WINDOWS\system32\rlivalvy.dll
C:\WINDOWS\system32\sdlwfkea.exe
C:\WINDOWS\system32\sdmgnejd.dll
C:\WINDOWS\system32\shdgwbpu.exe
C:\WINDOWS\system32\ssjjqjnr.dll
C:\WINDOWS\system32\uhcltgas.dll
C:\WINDOWS\system32\uothtrra.exe
C:\WINDOWS\system32\wmrrroqn.exe
C:\WINDOWS\system32\wyqyvqwk.dll
C:\WINDOWS\system32\xxfovirf.dll
C:\WINDOWS\system32\yclvvgof.dll
C:\WINDOWS\system32\yfujaowy.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-10 00:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 20:08 <DIR> d-------- C:\quarantine
2007-11-04 23:29 <DIR> d-------- C:\PLANET TERROR
2007-11-03 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 19:52 <DIR> d-------- C:\Program Files\hijack this
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-09 01:35 246 ----a-w C:\Program Files\Common Files\rybiv
2007-02-10 05:56 491,768 ----a-w C:\Program Files\ie6setup.exe
2007-03-19 01:41:21 152 --sh--r C:\WINDOWS\system32\987C99206F.sys
2007-03-19 01:41:28 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TGVhbm5l\n3p1vAc5.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.e xe" [2005-09-08 19:20]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 08:48]
"zgvnwxkA"="C:\WINDOWS\zgvnwxkA.exe" []
"{8C-CC-CF-F4-ZN}"="C:\windows\system32\nndsregp.exe" []
"sgzkklfA"="C:\WINDOWS\sgzkklfA.exe" []
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 19:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-09 18:35]
"7ce8cc5b"="C:\WINDOWS\system32\cgmbeyae.dll" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\F lash\GetFlash.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 18:49 24672 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wufq]
C:\PROGRA~1\COMMON~1\wufq\wufqm.exe
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mv stdi5x.sys
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 09:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
.
************************************************** ************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 19:40:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-11-14 19:41:56 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-10 00:27
.
--- E O F ---

And here's the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:21 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Pottery Barn | Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Learn about Dell's notebooks, desktops, monitors, printers plus computer electronics & accessories.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Learn about Dell's notebooks, desktops, monitors, printers plus computer electronics & accessories.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [zgvnwxkA] C:\WINDOWS\zgvnwxkA.exe
O4 - HKLM\..\Run: [{8C-CC-CF-F4-ZN}] C:\windows\system32\nndsregp.exe SKY009
O4 - HKLM\..\Run: [sgzkklfA] C:\WINDOWS\sgzkklfA.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [7ce8cc5b] rundll32.exe "C:\WINDOWS\system32\cgmbeyae.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77D49E22-DBBD-468B-B1B1-DABCAEE0A956}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D8E9C29-BEC2-40CB-8C60-312E3066944D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9446425-03A5-407D-BF2E-C9ADFC0FA0C8}: NameServer = 194.54.90.226
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
--
End of file - 8047 bytes


Please let me know how to proceed...and again, I really appreciate your help!
  #12  
Old 11-15-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,592
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Hijack this log -- malicious malaware must die!!
Ok.Just need to fix these up .We are getting near the end of the cleanup.

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O4 - HKLM\..\Run: [zgvnwxkA] C:\WINDOWS\zgvnwxkA.exe
O4 - HKLM\..\Run: [{8C-CC-CF-F4-ZN}] C:\windows\system32\nndsregp.exe SKY009
O4 - HKLM\..\Run: [sgzkklfA] C:\WINDOWS\sgzkklfA.exe
O4 - HKLM\..\Run: [7ce8cc5b] rundll32.exe "C:\WINDOWS\system32\cgmbeyae.dll",b

==================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of the Java Runtime Environment - (JRE) 6 Update 3.
Scroll down to where it says "Java Runtime Environment (JRE) 6u3 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

==================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:


KillAll::

File::
C:\WINDOWS\cfg32.exe
C:\WINDOWS\retadpu1000106.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"zgvnwxkA"=-
"{8C-CC-CF-F4-ZN}"=-
"sgzkklfA"=-
"7ce8cc5b"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #13  
Old 11-16-2007
Bronze Member
  
Join Date: Nov 2007
Posts: 26
PC Experience: PC Illiterate
perfectpawn - See this Members User comments on their Profile page
Default Re: Hijack this log -- malicious malaware must die!!
Okay, here's the Combo Fix log:

ComboFix 07-11-08.1 - Joe 2007-11-15 23:22:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.647 [GMT -6:00]
Running from: C:\Documents and Settings\Joe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joe\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\cfg32.exe
C:\WINDOWS\retadpu1000106.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Joe\Desktop\internet.lnk
.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-15 23:17 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-10 00:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 20:08 <DIR> d-------- C:\quarantine
2007-11-04 23:29 <DIR> d-------- C:\PLANET TERROR
2007-11-03 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 19:52 <DIR> d-------- C:\Program Files\hijack this
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-16 05:18 --------- d-----w C:\Program Files\Java
2007-11-09 01:35 246 ----a-w C:\Program Files\Common Files\rybiv
2007-02-10 05:56 491,768 ----a-w C:\Program Files\ie6setup.exe
2007-03-19 01:41:21 152 --sh--r C:\WINDOWS\system32\987C99206F.sys
2007-03-19 01:41:28 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TGVhbm5l\n3p1vAc5.vbs
.
((((((((((((((((((((((((((((( snapshot@2007-11-10_ 0.27.25.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-11-19 22:36:26 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-11-19 22:36:30 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.e xe" [2005-09-08 19:20]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 08:48]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 19:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-09 18:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\F lash\GetFlash.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 18:49 24672 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wufq]
C:\PROGRA~1\COMMON~1\wufq\wufqm.exe
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mv stdi5x.sys
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 09:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
.
************************************************** ************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 23:26:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-11-15 23:26:45
C:\ComboFix2.txt ... 2007-11-14 19:41
C:\ComboFix3.txt ... 2007-11-10 00:27
.
--- E O F ---

And here's the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:16 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Pottery Barn | Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Learn about Dell's notebooks, desktops, monitors, printers plus computer electronics & accessories.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Learn about Dell's notebooks, desktops, monitors, printers plus computer electronics & accessories.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\Po