0

I'm having the exact same problem. No matter what I do I can't seem to remove this one. It's a trojan that isn't viewable anywhere on my system. It's not in the processes, the program files or common files in windows. I've ran Ad-Aware, Spybot, Vundofix, and Hijackthis multiple times. I'm running Avast! Anti-Virus and I've cleared most of the stuff off my machine. The only thing that remains are these audio advertisements that say something about "You're watching Jumbo TV" or play really bad music exactly described above. I'm unable to find anything on the web about this and it's driving me crazy. Here is my most recent Hijack This log file. Please advise what is the next step I should take. I appreciate any help you can give me. Thank you

thatonedj

Logfile of HijackThis v1.99.1
Scan saved at 10:58:16 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\MyKill.D1Q7SN91\Desktop\AIM95\aim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\MyKill.D1Q7SN91\Desktop\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\MYKILL~1.D1Q\MYDOCU~1\YSTEM3~1\mmc.exe" -vt yazb
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\MyKill.D1Q7SN91\Desktop\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

3
Contributors
6
Replies
7
Views
10 Years
Discussion Span
Last Post by crunchie
0

Thank you for your reply.

Ok, here is the combofix report. I'm still getting the audio ads too.

ComboFix 07-07-30.2 - "MyKill" 2007-08-01 18:12:41.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.True
* Created a new restore point



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))



C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\MYKILL~1.D1Q\MYDOCU~1.\ystem3~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Messenger\divomy.html
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe
C:\WINDOWS\system32\wapiicomsv.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\Y0
C:\WINDOWS\system32\Y1
C:\WINDOWS\wr.txt



(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))



-------\LEGACY_FOPN



(((((((((((((((((((((((((   Files Created from 2007-07-02 to 2007-08-02  )))))))))))))))))))))))))))))))



2007-08-01 18:12    51,200  --a------   C:\WINDOWS\nircmd.exe
2007-07-31 21:54    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\DivX
2007-07-31 10:23    9,464   ---------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-31 10:23    9,336   ---------   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-31 10:23    129,784 ---------   C:\WINDOWS\system32\pxafs.dll
2007-07-31 10:23    120,056 ---------   C:\WINDOWS\system32\pxcpyi64.exe
2007-07-31 10:23    118,520 ---------   C:\WINDOWS\system32\pxinsi64.exe
2007-07-29 16:35    95,608  --a------   C:\WINDOWS\system32\AvastSS.scr
2007-07-29 16:35    94,416  --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-29 16:35    92,848  --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-29 16:35    783,224 --a------   C:\WINDOWS\system32\aswBoot.exe
2007-07-29 16:35    42,912  --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-29 16:35    26,624  --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-29 16:35    23,152  --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-29 16:35    <DIR>    d--------   C:\Program Files\Alwil Software
2007-07-29 15:47    <DIR>    d--------   C:\HijackThis
2007-07-29 15:29    6,507   ---hs----   C:\WINDOWS\system32\cbeeg.bak1
2007-07-29 15:21    <DIR>    d--------   C:\VundoFix Backups
2007-07-26 16:06    524,288 --a------   C:\WINDOWS\system32\DivXsm.exe
2007-07-26 16:06    3,596,288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 16:06    200,704 --a------   C:\WINDOWS\system32\ssldivx.dll
2007-07-26 16:06    144,704 --a------   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 16:06    1,044,480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-07-26 16:03    823,296 --a------   C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 16:03    823,296 --a------   C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 16:03    81,920  --a------   C:\WINDOWS\system32\dpl100.dll
2007-07-26 16:03    802,816 --a------   C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 16:03    740,442 --a------   C:\WINDOWS\system32\DivX.dll
2007-07-26 16:03    593,920 --a------   C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 16:03    57,344  --a------   C:\WINDOWS\system32\dpv11.dll
2007-07-26 16:03    53,248  --a------   C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 16:03    344,064 --a------   C:\WINDOWS\system32\dpus11.dll
2007-07-26 16:03    294,912 --a------   C:\WINDOWS\system32\dpu11.dll
2007-07-26 16:03    294,912 --a------   C:\WINDOWS\system32\dpu10.dll
2007-07-26 16:03    196,608 --a------   C:\WINDOWS\system32\dtu100.dll
2007-07-26 16:03    12,288  --a------   C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-20 16:47    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\AdobeUM
2007-07-19 21:05    <DIR>    d--------   C:\Program Files\Microsoft Hardware
2007-07-07 13:29    <DIR>    d--------   C:\other
2007-07-07 13:29    <DIR>    d--------   C:\Native.Instruments.Traktor.DJ.Studio.v3.0.2.098.INCL.KEYGEN-TALiO
2007-07-07 13:29    <DIR>    d--------   C:\Installers
2007-07-07 13:29    <DIR>    d--------   C:\Fruity Loops
2007-07-07 13:27    <DIR>    d--------   C:\Text
2007-07-07 13:27    <DIR>    d--------   C:\Sony ACID Pro v5.0a + Keygen
2007-07-07 13:27    <DIR>    d--------   C:\Dj Michael Pics
2007-07-07 13:27    <DIR>    d--------   C:\backup
2007-07-07 00:34    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Corel Photo Album
2007-07-07 00:33    56  -r-hs----   C:\WINDOWS\system32\E46DE58466.sys
2007-07-07 00:33    3,766   --ahs----   C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-06 12:32    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Sonic
2007-07-06 12:31    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Leadertech
2007-07-06 09:48    <DIR>    d--------   C:\Program Files\DivX
2007-07-05 20:12    <DIR>    d--------   C:\Program Files\EA GAMES
2007-07-05 20:08    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\uTorrent
2007-07-05 19:31    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Aim
2007-07-05 16:42    1,290   --a------   C:\WINDOWS\mozver.dat
2007-07-05 15:46    265,728 -ra------   C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-07-04 20:29    <DIR>    d--------   C:\Program Files\DellSupport
2007-07-04 20:16    23,040  ---------   C:\WINDOWS\kb913800.exe
2007-07-04 20:16    <DIR>    d--------   C:\WINDOWS\system32\PreInstall
2007-07-04 19:30    <DIR>    d--------   C:\WINDOWS\system32\SoftwareDistribution
2007-07-04 17:38    98,304  --a------   C:\WINDOWS\system32\CmdLineExt.dll
2007-07-04 17:28    <DIR>    d--------   C:\Program Files\Rockstar Games
2007-07-04 15:28    13,195  --a------   C:\DOCUME~1\MYKILL~1.D1Q\zguicfgw.dat
2007-07-04 14:57    <DIR>    d--------   C:\WINDOWS\system32\appmgmt
2007-07-04 14:15    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\McAfee.com Personal Firewall
2007-07-04 14:15    <DIR>    d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-07-04 14:14    2,621,440   --ah-----   C:\DOCUME~1\MYKILL~1.D1Q\NTUSER.DAT
2007-07-04 14:14    <DIR>    d--h-----   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Gtek
2007-07-04 14:14    <DIR>    d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Google
2007-07-03 19:40    <DIR>    d--------   C:\DOCUME~1\MyKill\APPLIC~1\Leadertech
2007-07-03 19:22    <DIR>    d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-03 19:18    <DIR>    d--------   C:\Program Files\D-Link
2007-07-03 19:17    <DIR>    d--------   C:\WINDOWS\pss
2007-07-03 19:07    786,432 --a------   C:\DOCUME~1\MyKill\NTUSER.DAT
2007-07-03 19:07    262,144 --a------   C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-07-03 19:07    <DIR>    d--------   C:\DOCUME~1\MyKill\APPLIC~1\Gtek
2007-07-03 19:07    <DIR>    d--------   C:\DOCUME~1\MyKill\APPLIC~1\Corel
2007-07-03 19:07    <DIR>    d--------   C:\DOCUME~1\DEFAUL~1\APPLIC~1\Google
2007-07-03 19:07    <DIR>    d--------   C:\DOCUME~1\DEFAUL~1\APPLIC~1\Corel
2007-07-03 19:04    9,600   --a------   C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-03 19:04    14,848  --a------   C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-03 19:04    12,160  --a------   C:\WINDOWS\system32\drivers\mouhid.sys



((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-08-01 18:15    ---------   d--------   C:\Program Files\Soulseek
2007-08-01 18:14    ---------   d--------   C:\Program Files\Messenger
2007-07-29 17:52    ---------   d--------   C:\Program Files\Windows Plus
2007-07-29 15:32    ---------   d--------   C:\Program Files\InterActual
2007-07-29 14:29    ---------   d--------   C:\Program Files\RGB
2007-07-26 16:06    43528   ---------   C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-05 20:12    ---------   d--------   C:\Program Files\InstallShield Installation Information
2007-07-05 12:05    ---------   d--------   C:\Program Files\Google
2007-07-04 16:25    ---------   d--------   C:\Program Files\MUSICMATCH
2007-07-04 14:46    ---------   d--------   C:\Program Files\Common Files\AOL
2007-06-12 13:11    ---------   d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Apple Computer
2007-06-12 13:06    ---------   d--------   C:\Program Files\iTunes
2007-06-12 13:05    ---------   d--------   C:\Program Files\QuickTime
2007-06-12 13:05    ---------   d--------   C:\Program Files\iPod
2007-06-12 13:04    ---------   d--------   C:\Program Files\Common Files\Apple
2007-06-12 13:04    ---------   d--------   C:\Program Files\Apple Software Update
2007-06-12 12:45    ---------   d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Real
2007-06-11 23:14    ---------   d--------   C:\Program Files\Vstplugins
2007-06-11 23:14    ---------   d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Publish Providers
2007-06-11 23:14    ---------   d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\NetMedia Providers
2007-06-11 23:12    ---------   d--------   C:\DOCUME~1\MYKILL~1.D1Q\APPLIC~1\Sony
2007-06-11 23:11    ---------   d--------   C:\Program Files\Microsoft SQL Server
2007-06-11 23:10    ---------   d--------   C:\Program Files\Sony
2007-06-11 23:09    ---------   d--------   C:\Program Files\Sony Setup
2007-06-11 14:21    ---------   d--------   C:\Program Files\Native Instruments
2007-06-11 12:54    ---------   d--------   C:\Program Files\GemMaster
2007-06-11 12:52    ---------   d--------   C:\Program Files\Common Files\Corel
2007-06-11 12:41    ---------   d--------   C:\Program Files\Lavasoft
2007-05-16 08:12    683520  --a------   C:\WINDOWS\system32\inetcomm.dll



(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"POINTER"="point32.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 15:03]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Documents and Settings\MyKill.D1Q7SN91\Desktop\AIM95\aim.exe" [2002-05-22 11:57]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Uaol"="C:\DOCUME~1\MYKILL~1.D1Q\MYDOCU~1\YSTEM3~1\mmc.exe" []


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\divomy.html
FriendlyName=


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport-]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
"C:\WINDOWS\poolsv.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svhost]
"C:\WINDOWS\svhost.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u


R1 DLACDBHM;DLACDBHM;C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
R1 DLARTL_N;DLARTL_N;C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 DLABOIOM;DLABOIOM;C:\WINDOWS\system32\DLA\DLABOIOM.SYS
R2 DLADResN;DLADResN;C:\WINDOWS\system32\DLA\DLADResN.SYS
R2 DLAIFS_M;DLAIFS_M;C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
R2 DLAOPIOM;DLAOPIOM;C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
R2 DLAPoolM;DLAPoolM;C:\WINDOWS\system32\DLA\DLAPoolM.SYS
R2 DLAUDF_M;DLAUDF_M;C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
R2 DLAUDFAM;DLAUDFAM;C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
R2 DRVNDDM;DRVNDDM;C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 E100B;Intel(R) PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe



**************************************************************************


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 18:16:36
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden registry entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************


Completion time: 2007-08-01 18:17:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-01 18:17


--- E O F ---

Edited by happygeek: fixed formatting

0

A few things in that log that should probably go. Let's see what AVG antispyware can do first though.

Please download and install AVG antispyware tool

  • Close all other Applications Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait and AVG antispyware will open to the main screen automatically.
  • Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
  • It is very important that you get updated
  • When updating has finished. Close AVG antispyware.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

  • Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  • Select the first option, to run Windows in Safe Mode hit enter.
  • For additional help in booting into Safe Mode, see the following site: HERE

    You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while AVG antispyware performs its scan!

  • Run AVG antispyware.
  • Click on scanner at top of AVG antispyware screen.
  • Click on Settings.
  • Under How to Act click on Recommended Action and choose Quarantine.
  • Under How to scan all boxes should be selected.
  • Under Possibly unwanted software all boxes should be selected.
  • On right side under Reports: click on Do not automatically generate report after every scan.
  • Under What to scan select scan every file.
  • Click On scan Tab.
  • Click on Complete system scan.
  • Let the program scan the machine It can take awhile give it time.
  • When scan has finished at bottom of screen click Apply all Actions.
  • Click Save report
  • Click Save Report as (Save as window's screen should pop up.)
  • Click desktop.
  • Click Save.
  • Exit AVG antispyware.

Reboot back to normal mode.
Post the log here.

Post another hijackthis log too please. Rename it to analysethis first though.

0

We're having the exact same problem, down to the part with the lame pirate guy. You have to admit man, some of the music is actually pretty cool.

0

I have installed AVG and ran the scan in safemode.
I've also made a new hijack this log.

The AVG report is attached and the new Hijack log is below.

Thank you for all your help so far.

I can't comment on whether or not the trojan is still there since I haven't heard it in awhile. But that doesn't mean it's not lurking still.


Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 1:31:51 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\MyKill.D1Q7SN91\Desktop\AIM95\aim.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\MyKill.D1Q7SN91\Desktop\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\MYKILL~1.D1Q\MYDOCU~1\YSTEM3~1\mmc.exe" -vt yazb
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\MyKill.D1Q7SN91\Desktop\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\pss
C:\DOCUME~1\MYKILL~1.D1Q\MYDOCU~1\YSTEM3~1\mmc.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\retadpu77.exe

===============

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All
    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.