trojan-downloader

J

jimz

New Member
Hello Everyone, been reading this site for a few months learning... great site, finally need some help please.

Picked up a trojan-downloader.wma.getcodec.c on Kaspersky, but nothing else can find it. Malwarebytes comes up clean, can someone please look over my highjack this log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:50 AM, on 1/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.prod.untd.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.netzero.com
O15 - Trusted Zone: *.netzero.net
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall Service (AVGFw2kv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfw2kv.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8933 bytes

Thank You !!
 
If one program tells you that you have something and everyother programs says you don't. It's likely a false positive.
 
thanks, ran combo fix last nite and it deleted a windows\system32\x64, that was the only thing on it.

reran Kaspersky and it detected the same thing.did malwarebytes and super anti spyware and it was negative. Kaspersky shows it being in my back up files, computer might be running slower (maybe my imagination) but otherwise fine.

:confused: anyway thanks for the reply
 
Also run CCleaner (just google for the official site and download). This program will get rid of all your temporary files on you PC. Such things as cookies, history, internet cache etc. will get deleted and free up lots of space. This will help speed up your PC and such.
 
jimz said:
thanks, ran combo fix last nite and it deleted a windows\system32\x64, that was the only thing on it.

reran Kaspersky and it detected the same thing.did malwarebytes and super anti spyware and it was negative. Kaspersky shows it being in my back up files, computer might be running slower (maybe my imagination) but otherwise fine.

:confused: anyway thanks for the reply
Click to expand...

Please post the log ComboFix created, it should be located at C:\ComboFix.txt

JTM said:
Also run CCleaner (just google for the official site and download). This program will get rid of all your temporary files on you PC. Such things as cookies, history, internet cache etc. will get deleted and free up lots of space. This will help speed up your PC and such.
Click to expand...

Just elaborating.

Download: CCleaner (freeware)
http://www.majorgeeks.com/download4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
CCleanerA.png

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit
 
thanks but i run ccleaner... avg found one wimad.f, but did'nt do anything because it's in the archive so i deleted that... still have one more, and thanks Respital here's the log

ComboFix 09-01-21.02 - jim 2009-01-22 1:29:51.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2045 [GMT -6:00]
Running from: c:\users\jim\Downloads\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: AVG Firewall 7.5.500 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x64
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-22 00:06 . 2009-01-22 00:06 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 18:34 . 2009-01-21 19:03 <DIR> d-------- c:\program files\LimeWire
2009-01-21 15:34 . 2009-01-21 15:34 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-01-21 15:34 . 2009-01-21 15:34 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-01-21 14:24 . 2009-01-21 14:24 <DIR> d----c--- c:\windows\System32\DRVSTORE
2009-01-21 14:24 . 2009-01-21 14:24 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-01-21 14:22 . 2009-01-21 14:22 <DIR> d--h-c--- c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-21 14:22 . 2009-01-21 14:22 <DIR> d--h-c--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-21 14:17 . 2009-01-21 14:17 <DIR> d-------- c:\program files\filehippo.com
2009-01-20 22:05 . 2009-01-20 22:05 <DIR> d-------- c:\users\jim\AppData\Roaming\vlc
2009-01-19 02:44 . 2009-01-19 02:44 <DIR> d-------- c:\windows\AC54E5443E42443CA91DA00A6974C592.TMP
2009-01-19 01:35 . 2009-01-19 01:41 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2009-01-13 15:34 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-02 18:17 . 2009-01-19 02:47 <DIR> d-------- c:\users\All Users\NVIDIA
2009-01-02 18:17 . 2009-01-19 02:47 <DIR> d-------- c:\programdata\NVIDIA
2009-01-02 18:14 . 2009-01-02 18:14 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-01-02 18:13 . 2009-01-02 18:13 <DIR> d----c--- C:\NVIDIA
2009-01-02 17:30 . 2008-12-23 21:58 453,152 --a------ c:\windows\System32\NVUNINST.EXE
2008-12-30 23:03 . 2008-12-30 23:41 <DIR> dr------- c:\users\jim\Videos
2008-12-30 22:00 . 2008-12-30 22:00 <DIR> d-------- c:\users\jim\AppData\Roaming\PeerNetworking
2008-12-30 14:50 . 2008-12-30 14:50 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-30 07:55 . 2008-12-13 00:23 1,659,392 --a------ c:\windows\System32\mshtml.tlb
2008-12-28 19:21 . 2008-12-28 19:21 <DIR> d-------- c:\program files\Microsoft Games
2008-12-26 17:51 . 2008-12-26 17:51 <DIR> d-------- c:\program files\SpeedFan
2008-12-26 00:08 . 2008-12-26 00:08 9,617,408 --a------ c:\windows\System32\nvoglv32.dll
2008-12-25 17:14 . 2008-12-25 17:14 <DIR> d-------- c:\program files\Defraggler
2008-12-25 13:21 . 2009-01-02 17:55 <DIR> d-------- c:\users\jim\AppData\Roaming\SystemRequirementsLab
2008-12-25 13:21 . 2009-01-02 17:59 <DIR> d-------- c:\program files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 07:17 --------- d-----w c:\program files\Dl_cats
2009-01-22 06:03 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-01-22 03:31 --------- d-----w c:\users\jim\AppData\Roaming\LimeWire
2009-01-21 21:32 --------- d-----w c:\programdata\Yahoo! Companion
2009-01-21 21:30 --------- d-----w c:\programdata\avg7
2009-01-21 20:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-21 20:24 15,688 ----a-w c:\windows\System32\lsdelete.exe
2009-01-21 20:21 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-21 15:57 --------- d-----w c:\users\jim\AppData\Roaming\AVG7
2009-01-20 21:41 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-19 08:14 --------- d-----w c:\program files\a-squared Free
2009-01-15 03:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 23:31 --------- d-----w c:\program files\Glary Utilities
2009-01-14 22:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 22:09 --------- d-----w c:\program files\Windows Mail
2008-12-24 19:45 --------- d-----w c:\program files\CCleaner
2008-12-21 16:54 --------- d-----w c:\program files\Java
2008-12-15 23:58 --------- d-----w c:\programdata\PopCap Games
2008-12-15 23:09 --------- d-----w c:\programdata\Impulse Technology
2008-12-13 20:18 --------- d-----w c:\program files\Google
2008-12-11 23:18 --------- d-----w c:\users\jim\AppData\Roaming\SUPERAntiSpyware.com
2008-12-07 04:30 --------- d-----w c:\users\jim\AppData\Roaming\DellFaxCtr
2008-12-06 19:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 19:50 --------- d-----w c:\program files\Common Files\Logitech
2008-12-03 19:57 --------- d-----w c:\program files\Logitech
2008-12-02 21:46 --------- d-----w c:\users\jim\AppData\Roaming\OpenOffice.org2
2008-12-02 17:08 --------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\AVG7
2008-11-24 04:26 --------- d--h--w c:\programdata\yahoo!
2008-11-23 20:43 --------- d-----w c:\users\jim\AppData\Roaming\Yahoo!
2008-11-23 20:43 --------- d-----w c:\program files\Yahoo!
2008-11-20 23:34 118,784 ------w c:\windows\bwUnin-7.2.0.137-8876480SL.exe
2008-11-10 18:23 243,840 ----a-w c:\windows\System32\ZuneWlanCfgSvc.exe
2008-11-10 18:09 73,728 ----a-w c:\windows\System32\ZuneUsbTransport.dll
2008-11-10 18:09 57,344 ----a-w c:\windows\System32\ZuneRegUtil.dll
2008-11-10 18:09 310,272 ----a-w c:\windows\System32\ZuneNetProxy.dll
2008-11-10 18:09 18,944 ----a-w c:\windows\System32\ZuneTcp2Udp.dll
2008-11-10 18:09 145,920 ----a-w c:\windows\System32\ZuneMTPZ.dll
2008-11-10 18:09 12,800 ----a-w c:\windows\System32\ZunePTDNS.dll
2008-11-10 11:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-22 01:22 2,048 ----a-w c:\windows\System32\tzres.dll
2008-05-05 15:13 174 --sha-w c:\program files\desktop.ini
2008-02-09 04:21 114,688 ----a-w c:\users\jim\so_activex.dll
2009-01-21 21:07 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-12-17 2107224]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-08-07 1548288]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"DLCXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-15 106496]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 92704]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-21 507224]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-21 30192]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 c:\windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-05-13 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 17:19 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-28 15:54 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-05-13 15:09 9216 c:\windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^jim^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]
backup=c:\windows\pss\Memeo AutoSync Launcher.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2008-02-28 22:18 17920 c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
--a------ 2008-05-06 19:11 1701376 c:\program files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe"
"WD Drive Manager"=c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1657192380-3707256627-4232830097-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DBE42A01-FE80-4BB0-8380-F31B1F5654A7}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{265DDD1C-5110-4754-AE0B-3DDD0F05DAE7}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{D93919E6-5F53-416D-B261-71903970886A}"= UDP:c:\windows\System32\dlcxcoms.exe:Lexmark Communications System
"{D6A3C512-9629-4272-A67B-9B7AC4A48432}"= TCP:c:\windows\System32\dlcxcoms.exe:Lexmark Communications System
"{BACF1357-7FB9-4366-8C9C-05227FE3E2B4}"= UDP:c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe:Device Monitor
"{3E94718C-5C9C-48BB-B813-2E0B0BF30317}"= TCP:c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe:Device Monitor
"{41C49F1E-E42A-45F4-AE65-B17EBC928646}"= UDP:c:\program files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{C16A2D50-3BD3-4851-87BD-763EF44F2ED6}"= TCP:c:\program files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"TCP Query User{A8678E58-F7F2-487E-8F8C-6C2A91F597C1}c:\\program files\\ares vista\\ares.exe"= UDP:c:\program files\ares vista\ares.exe:Ares
"UDP Query User{13036046-551D-4922-A67D-F2FF03FBCEFE}c:\\program files\\ares vista\\ares.exe"= TCP:c:\program files\ares vista\ares.exe:Ares
"TCP Query User{A7194AE5-D3A7-4F4A-B23B-9EDC3883FAC0}c:\\program files\\ares ultra\\ares ultra.exe"= UDP:c:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows
"UDP Query User{C7A73548-45D8-426C-BEC0-37D282C88A0C}c:\\program files\\ares ultra\\ares ultra.exe"= TCP:c:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows
"{2BEECEBF-0F22-46DE-BA14-EEE53D822C97}"= UDP:c:\windows\System32\muzapp.exe:MUZ AOD APP player
"{89CE4585-CE28-494C-9871-84C86DFA2582}"= TCP:c:\windows\System32\muzapp.exe:MUZ AOD APP player
"{5DABA100-3E12-4AD2-BF9E-6E4334D39EDB}"= Disabled:UDP:c:\program files\Joost Plugin\joostws.exe:joostws
"{A9EB67E4-8A2D-4ECA-B3EB-4E81BC89135B}"= Disabled:TCP:c:\program files\Joost Plugin\joostws.exe:joostws

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-01-21 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\System32\drivers\avgwfp.sys [2008-05-13 53768]
R4 AVGFw2kv;AVG Firewall Service;c:\progra~1\Grisoft\AVG7\avgfw2kv.exe [2008-05-13 793600]
R4 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-05-24 1125208]
R4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-05-16 102400]
R4 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S3 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [2007-12-05 77824]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-28 30192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c371dc6e-1920-11dd-8ab5-001d0998307a}]
\shell\AutoRun\command - f:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-21 14:23]

2009-01-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-10 17:02]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Lavasoft Ad-Aware Service


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.prod.untd.com;<local>
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
Trusted Zone: netzero.com
Trusted Zone: netzero.net
FF - ProfilePath - c:\users\jim\AppData\Roaming\Mozilla\Firefox\Profiles\w88a7qrk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\jim\AppData\Roaming\Mozilla\Firefox\Profiles\w88a7qrk.default\extensions\[email protected]\components\coolirisstub.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 01:47:12
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-22 1:49:09
ComboFix-quarantined-files.txt 2009-01-22 07:49:07

Pre-Run: 181,964,910,592 bytes free
Post-Run: 178,282,205,184 bytes free

247 --- E O F --- 2009-01-13 22:09:16
 
Last edited:
You must log in or register to reply here.
Back
Top