AtlasLoki

Deckard's System Scanner v20070905.67
Run by Neal Norton Jr on 2007-09-18 07:52:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2007-09-18 11:52:35 UTC - RP243 - Deckard's System Scanner Restore Point
57: 2007-09-17 12:21:46 UTC - RP242 - System Checkpoint
56: 2007-09-16 09:12:02 UTC - RP241 - System Checkpoint
55: 2007-09-15 07:19:56 UTC - RP240 - System Checkpoint
54: 2007-09-13 22:23:11 UTC - RP239 - System Checkpoint


-- First Restore Point --
1: 2007-06-21 23:11:47 UTC - RP186 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-18 07:53:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Neal Norton Jr\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0061012
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/servlet/Conten...=1018209032790
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0061012
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKEY_LOCAL_MACHINE\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKEY_LOCAL_MACHINE\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKEY_LOCAL_MACHINE\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: (no name) - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKEY_LOCAL_MACHINE)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{2656241E-F5FE-44E3-BDA5-D84D22D6ACBF}: NameServer = 85.255.116.89,85.255.112.125
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9330C05C-2A9D-4647-B7D9-87F829CEE845}: NameServer = 85.255.116.89,85.255.112.125
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{D69B2D6B-4F48-4A95-AEFA-9058D2B62E5C}: NameServer = 85.255.116.89,85.255.112.125
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{DE7140A5-5B28-4756-96FC-92DD5C43E8AE}: NameServer = 85.255.116.89,85.255.112.125
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.125
O17 - HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.125
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.125
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys <Not Verified; RapidSolution Software AG; Tunebite High-Speed Dubbing>

S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 SndTDriverV32 - c:\windows\system32\drivers\sndtdriverv32.sys <Not Verified; Windows (R) 2000/XP; Windows (R) 2000/XP Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RMSvc (Media Center Extender Resource Monitor) - c:\windows\ehome\rmsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S? sdCoreService -


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-07 21:04:48 548 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Neal Norton Jr.job


-- Files created between 2007-08-18 and 2007-09-18 -----------------------------

2007-09-18 01:05:56 0 d-------- C:\Program Files\SpywareBlaster
2007-09-18 01:01:18 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-09-18 01:01:17 0 d-------- C:\WINDOWS\LastGood
2007-09-18 00:35:43 0 d-------- C:\DESKTOP
2007-09-18 00:29:16 0 d-------- C:\Program Files\Spyware Doctor


-- Find3M Report ---------------------------------------------------------------

2007-09-18 01:38:37 0 d-------- C:\Program Files\Norton AntiVirus
2007-09-18 01:35:40 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-09-18 01:35:18 0 d-------- C:\Program Files\iTunes
2007-09-18 01:32:27 0 d-------- C:\Program Files\Digital Line Detect
2007-09-18 01:31:51 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-16 08:33:49 0 d-------- C:\Program Files\EvidenceEraser
2007-09-12 13:14:44 3584 --a------ C:\Documents and Settings\Neal Norton Jr\Application Data\dvd.bmk
2007-09-06 20:12:24 0 d-------- C:\Program Files\Citrix
2007-08-25 23:48:02 0 d-------- C:\Program Files\Common Files\Skyscape
2007-08-19 15:43:17 0 d-------- C:\Program Files\Unbound Medicine
2007-08-19 15:43:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 00:19:57 0 d-------- C:\Program Files\Symantec
2007-07-28 12:17:40 45997 --a------ C:\WINDOWS\system32\uninst.exe
2007-07-28 12:13:43 0 d-------- C:\Program Files\Medicos
2007-07-18 17:54:32 0 d-------- C:\Program Files\PKWARE
2007-07-18 17:54:32 0 d-------- C:\Program Files\Common Files
2007-07-18 17:54:32 0 d-------- C:\Program Files\Common Files\PKWARE
2007-07-04 11:08:52 4214 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 02:01 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 03:12 AM]
"SigmatelSysTrayApp"="stsystra.exe" [08/15/2006 02:38 AM C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 05:41 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 10:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 10:44 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 05:20 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 10:59 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [09/05/2006 09:22 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [07/16/2006 09:29 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/15/2005 08:44 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [11/07/2006 11:29 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/12/2006 7:44:20 PM]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [10/20/2005 7:55:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdxvr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE



-- End of Deckard's System Scanner: finished at 2007-09-18 07:54:27 ------------

Attached Files

extra.txt (21.3 KB, 1 views)

TheBruce1

Hello and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

===============================================================

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

---------------------------------------------------------------

Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone,its in your best interest that you follow this through to the end.

====================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint Media Player Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

WildTangent Web Driver Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although its not technically considered spyware it does have built in components to update itself and gather information about the computer system including

* Operating System Version
* CPU Type and Speed
* Memory Amount
* Video Card type and Driver Version
* Sound Card type and Driver Version
* DirectX Version

===================================================

Wareout

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.


===================================================

Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop





Go to → Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================================================

You have an outdated version of Hijackthis installed,please uninstall that version and install the latest version below.

---------------------------------

Please download HijackThis to your desktop

Alternate link

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

===================================================
Logs Required
report.txt(from FixWareout Tool)
C:\Combofix.txt
Hijackthis log

Let us know how your system is behaving,thanks.