# Dell XPS 400 with possible virus, needs help restoring factory settings



## JocelynMeadows (May 29, 2009)

Okay so I have a Desktop Dell XPS 400 that has been acting terribly since april, or march.
Stats:
Windows XP media center edition, service pack 3
2.8 ghz, 3 gb of ram.

(not sure if you need to know this... )

So far, internet connection is cut off, and the video (?) drivers are malfunctioning... usb ports only work sometimes, not at all for my ipods.

I have been trying to restore factory settings and wipe the hard drive clean, already have backed up my personal files on an external hard drive.
But
I found a paper that came with my computer, stating:

Your new computer does not require an operating system CD or drivers CDs. Instead, if you ever need to reinstall your software, use one of the following methods.

Dell PC Restore: returns your computer to its original operating state. For more information, double click the Owner's Manual icon on your desktop.

I have not been able to find the Owner's Manual, or any link to a Dell PC Restore function on my computer.

Flavallee, the Hijack This Log you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:22 AM, on 6/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\940714742.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\adhg873ujhdg.dll - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\adhg873ujhdg.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,[email protected]
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\TEMP\BN1A.tmp
O4 - HKLM\..\Run: [Memeo AutoBackup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\940714742.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\4214744626.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [system tool] C:\WINDOWS\sysguard.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\4214744626.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Golden Beauty\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\adhg873ujhdg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O24 - Desktop Component 1: (no name) - http://facebook.com/

--
End of file - 7032 bytes

Thanks everyone for your help, in advance.


----------



## flavallee (May 12, 2002)

Jocelyn:

According to these log entries, your Dell is infected. 

*O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\TEMP\BN1A.tmp*

http://www.sysinfo.org/startuplist.php?filter=PromoReg

*O4 - HKUS\S-1-5-18\..\Run: [system tool] C:\WINDOWS\sysguard.exe (User 'SYSTEM')*

http://www.sysinfo.org/startuplist.php?filter=sysguard.exe

I'm also suspicious of these log entries and a few others:

*O2 - BHO: C:\WINDOWS\system32\adhg873ujhdg.dll - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\adhg873ujhdg.dll

O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\4214744626.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\4214744626.exe (User 'Default user'*

I've reported your thread to the "Malware Removal & HijackThis Logs" section for assistance by a malware expert. Wait for a reply and instructions.

----------------------------------------------------------------

Right-click MY COMPUTER, click Properties - Hardware - Device Manager, then click the + in:

*Display Adapters

Network Adapters

Sound Video And Game Controllers*

Write down what's listed in the sub-menu of each heading, then post it here.

---------------------------------------------------------------


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything unless told to do so while we are fixing your problem. *


----------



## dvk01 (Dec 14, 2002)

if you want to restore to factory settings instead of attempting to fix it then

https://support.dell.com/support/to...pe=&os=&component=&lang=&doclang=&toggle=&dl=

Using PC Restore in Windows XP or Media Center

Notice: 
Restoring the original factory image erases ALL existing data. This includes files, folders, programs, drivers, E-mails, photos. Before performing a PC Restore, back up all personal files. If you do not back up your personal files, the data will be lost.

1 Turn on the computer.

--------------------------------------------------------------------------------

2 When the Dell splash screen appears during the computer startup process, press and hold <Ctrl> and then press <F11>. Then, release both keys at the same time. 
NOTE: Some systems like Inspiron Mini 9 (910) do not support System Restore as they do not have <F11> nor any substitute.

--------------------------------------------------------------------------------

3 In the Dell PC Restore by Symantec window, click Restore. Alternatively, press <Tab> to highlight Restore, and then press <Enter>.

--------------------------------------------------------------------------------

4 When a warning message appears stating that all data will be lost, click Confirm, or press <Tab> to highlight Confirm and then press <Enter>.

The Progress window will appear. Once the restore process starts, Dell PC Restore by Symantec usually takes about 8 to 10 minutes to finish.

When the restore process is complete, the following message will appear: 
The system recovery process was successful.

--------------------------------------------------------------------------------

5 Click Finish or press <Tab> to highlight Finish and then press <Enter> to restart the computer.

The software is now installed as it was when the computer was first received.


----------



## flavallee (May 12, 2002)

Jocelyn:

When I reported your thread to the "Malware Removal & HijackThis Logs" section for assistance, I advised that you were considering doing a full recovery.

dvk01 is here now to assist you, so advise what you want to do.

Frank

---------------------------------------------------------------


----------



## JocelynMeadows (May 29, 2009)

Thank you so much Frank, you've really helped me.

Dvk01:

Here are the Combofix and Hijack This Log's you requested. Combofix couldn't download the Recovery Console Files because the XPS cannot connect to the internet.

ComboFix Log:

ComboFix 09-06-07.01 - Golden Beauty 06/07/2009 17:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2697 [GMT -4:00]
Running from: c:\documents and settings\Golden Beauty\Desktop\ComboFix.exe
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Golden Beauty\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Microsoft Common
c:\program files\newdotnet
c:\program files\newdotnet\nnrun.exe
c:\program files\newdotnet\readme.html
c:\program files\newdotnet\uninstall.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.ex_
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Install.txt
c:\windows\jestertb.dll
c:\windows\KBPK090403.log
c:\windows\KBPK090404.log
c:\windows\sysguard.exe
c:\windows\system32\adhg873ujhdg.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Install.txt
c:\windows\system32\ntos.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\Temp\1099795362.exe
c:\windows\Temp\1145889112.exe
c:\windows\Temp\127851330.exe
c:\windows\Temp\1486161616.exe
c:\windows\Temp\169570080.exe
c:\windows\Temp\2159289954.exe
c:\windows\Temp\2447822294.exe
c:\windows\Temp\2763018386.exe
c:\windows\Temp\309693560.exe
c:\windows\Temp\3420562094.exe
c:\windows\Temp\3449606232.exe
c:\windows\Temp\3607404324.exe
c:\windows\Temp\3787865848.exe
c:\windows\Temp\3835053348.exe
c:\windows\Temp\4193450852.exe
c:\windows\Temp\4214744626.exe
c:\windows\Temp\4249857102.exe
c:\windows\Temp\489061334.exe
c:\windows\Temp\886590458.exe
c:\windows\Temp\900896338.exe
c:\windows\Temp\902615088.exe

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV
-------\Legacy_NPF
-------\Service_npf
-------\Service_restore

((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-07 03:40 . 2009-06-07 03:40	--------	d-----w-	C:\ProgramData
2009-06-07 03:40 . 2009-06-07 03:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-06 22:31 . 2009-06-06 22:31	--------	d-----w-	c:\program files\Microsoft WSE
2009-06-06 22:31 . 2006-09-28 20:05	2414360	----a-w-	c:\windows\system32\d3dx9_31.dll
2009-06-06 22:31 . 2009-06-06 22:31	--------	d-----w-	c:\windows\Logs
2009-06-06 22:15 . 2009-06-06 22:32	--------	d-----w-	c:\program files\Electronic Arts
2009-06-06 20:05 . 2009-06-06 20:05	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ServiceTest
2009-06-06 20:04 . 2009-06-06 20:04	--------	d-----w-	c:\program files\Common Files\eSellerate
2009-06-06 20:03 . 2009-06-06 20:03	--------	d-----w-	c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-06-05 23:27 . 2009-06-05 23:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\MemeoCommon
2009-06-05 23:23 . 2009-06-05 23:23	--------	d-----w-	c:\docume~1\GOLDEN~1\APPLIC~1\Memeo
2009-06-05 23:23 . 2009-06-05 23:23	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2009-06-05 23:23 . 2009-06-05 23:23	--------	d-----w-	c:\documents and settings\Golden Beauty\Local Settings\Application Data\temp
2009-06-05 23:23 . 2009-06-05 23:23	--------	d-----w-	c:\program files\Memeo
2009-06-05 23:19 . 2009-06-05 23:19	--------	d-----w-	c:\program files\Western Digital
2009-06-05 23:19 . 2009-06-05 23:19	--------	d-----w-	c:\program files\Western Digital Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 06:11 . 2006-03-25 13:10	--------	d-----w-	c:\program files\Trend Micro
2009-06-06 22:15 . 2006-03-25 13:02	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-06-06 20:04 . 2008-12-23 23:07	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-06 20:04 . 2008-12-29 02:14	--------	d-----w-	c:\documents and settings\All Users\Application Data\LogiShrd
2009-06-06 20:04 . 2006-03-25 13:05	--------	d-----w-	c:\program files\Common Files\Nullsoft
2009-06-06 20:03 . 2007-04-01 20:03	--------	d-----w-	c:\program files\Common Files\Intuit
2009-06-06 20:03 . 2006-03-25 13:06	--------	d-----w-	c:\program files\Common Files\Corel
2009-06-06 20:02 . 2009-04-03 20:15	--------	d-----w-	c:\windows\system32\config\systemprofile\Application Data\VOL_TOOLBAR
2009-06-06 20:02 . 2009-04-04 16:20	--------	d-----w-	c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-06 20:01 . 2009-04-07 15:15	--------	d-----w-	c:\documents and settings\All Users\Application Data\SecTaskMan
2009-06-06 20:01 . 2009-04-07 15:15	--------	d-----w-	c:\program files\Security Task Manager
2009-06-06 19:54 . 2006-03-25 13:04	--------	d-----w-	c:\program files\MUSICMATCH
2009-06-06 19:53 . 2006-04-15 19:24	--------	d-----w-	c:\program files\Web Publish
2009-06-06 16:21 . 2007-04-01 20:01	--------	d-----w-	c:\program files\TurboTax
2009-06-06 16:14 . 2009-02-23 00:58	--------	d-----w-	c:\documents and settings\All Users\Application Data\Skype
2009-05-22 00:41 . 2006-04-03 23:45	152	--sh--r-	c:\windows\system32\1EE16A70DD.sys
2009-05-22 00:41 . 2006-03-30 23:37	7520	--sha-w-	c:\windows\system32\KGyGaAvL.sys
2009-04-15 01:29 . 2009-04-15 01:29	--------	d-----w-	c:\docume~1\GOLDEN~1\APPLIC~1\Intuit
2009-04-03 20:19 . 2009-04-03 20:16	154112	----a-w-	C:\75.tmp
2009-04-03 20:17 . 2009-04-03 20:17	0	----a-w-	C:\7A.tmp
2009-04-03 20:15 . 2009-04-03 20:15	0	-c--a-w-	c:\windows\system32\73.tmp
2009-04-03 20:15 . 2009-04-03 20:15	124	-c--a-w-	c:\windows\system32\6A.tmp
2009-04-02 18:52 . 2006-04-01 14:34	108896	-c--a-w-	c:\documents and settings\Golden Beauty\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-29 19:18 . 2005-08-16 10:41	88983	----a-w-	c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-21 03:32 . 2008-12-25 10:37	410984	----a-w-	c:\windows\system32\deploytk.dll
2008-05-05 01:37 . 2008-05-05 01:35	284248	----a-w-	c:\program files\npmusicn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2008-09-03 22:03	73728	------w-	c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-09-14 73728]
"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-10-07 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-09-07 290816]
"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe" [2005-11-18 73728]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Memeo AutoBackup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2008-11-07 144608]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-25 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update.lnk
backup=c:\windows\pss\Instant Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\U.S. Robotics\\Instant Update\\InstUpDt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"50508:TCP"= 50508:TCPORT_50508
"44763:TCP"= 44763:TCPORT_44763
"60176:TCP"= 60176:TCPORT_60176
"63807:TCP"= 63807:TCPORT_63807
"11051:TCP"= 11051:TCPORT_11051
"18796:TCP"= 18796:TCPORT_18796
"65357:TCP"= 65357:TCPORT_65357
"62543:TCP"= 62543:TCPORT_62543
"57738:TCP"= 57738:TCPORT_57738
"34896:TCP"= 34896:TCPORT_34896
"40441:TCP"= 40441:TCPORT_40441
"18270:TCP"= 18270:TCPORT_18270
"56373:TCP"= 56373:TCPORT_56373
"34051:TCP"= 34051:TCPORT_34051
"56326:TCP"= 56326:TCPORT_56326
"46063:TCP"= 46063:TCPORT_46063
"50604:TCP"= 50604:TCPORT_50604
"26232:TCP"= 26232:TCPORT_26232
"64746:TCP"= 64746:TCPORT_64746
"59539:TCP"= 59539:TCPORT_59539
"31028:TCP"= 31028:TCPORT_31028
"14066:TCP"= 14066:TCPORT_14066
"14622:TCP"= 14622:TCPORT_14622
"56726:TCP"= 56726:TCPORT_56726
"54208:TCP"= 54208:TCPORT_54208
"25432:TCP"= 25432:TCPORT_25432
"50825:TCP"= 50825:TCPORT_50825
"18883:TCP"= 18883:TCPORT_18883
"33485:TCP"= 33485:TCPORT_33485
"34407:TCP"= 34407:TCPORT_34407
"9813:TCP"= 9813:TCPORT_9813
"63344:TCP"= 63344:TCPORT_63344
"33535:TCP"= 33535:TCPORT_33535
"58504:TCP"= 58504:TCPORT_58504
"30015:TCP"= 30015:TCPORT_30015
"24275:TCP"= 24275:TCPORT_24275
"22336:TCP"= 22336:TCPORT_22336
"19414:TCP"= 19414:TCPORT_19414
"41325:TCP"= 41325:TCPORT_41325
"36485:TCP"= 36485:TCPORT_36485
"17671:TCP"= 17671:TCPORT_17671
"50997:TCP"= 50997:TCPORT_50997
"61988:TCP"= 61988:TCPORT_61988
"55031:TCP"= 55031:TCPORT_55031
"34992:TCP"= 34992:TCPORT_34992
"60160:TCP"= 60160:TCPORT_60160
"10340:TCP"= 10340:TCPORT_10340
"28285:TCP"= 28285:TCPORT_28285
"65369:TCP"= 65369:TCPORT_65369
"20809:TCP"= 20809:TCPORT_20809
"28745:TCP"= 28745:TCPORT_28745
"37493:TCP"= 37493:TCPORT_37493
"8731:TCP"= 8731:TCPORT_8731
"23617:TCP"= 23617:TCPORT_23617
"35887:TCP"= 35887:TCPORT_35887
"20771:TCP"= 20771:TCPORT_20771
"22961:TCP"= 22961:TCPORT_22961
"34521:TCP"= 34521:TCPORT_34521
"17641:TCP"= 17641:TCPORT_17641
"58855:TCP"= 58855:TCPORT_58855
"24784:TCP"= 24784:TCPORT_24784
"62320:TCP"= 62320:TCPORT_62320
"21805:TCP"= 21805:TCPORT_21805
"5380:TCP"= 5380:TCPORT_5380
"37641:TCP"= 37641:TCPORT_37641
"44410:TCP"= 44410:TCPORT_44410
"30586:TCP"= 30586:TCPORT_30586
"64113:TCP"= 64113:TCPORT_64113
"53367:TCP"= 53367:TCPORT_53367
"40082:TCP"= 40082:TCPORT_40082
"51520:TCP"= 51520:TCPORT_51520
"48195:TCP"= 48195:TCPORT_48195
"44180:TCP"= 44180:TCPORT_44180
"32810:TCP"= 32810:TCPORT_32810
"54203:TCP"= 54203:TCPORT_54203
"34957:TCP"= 34957:TCPORT_34957
"61851:TCP"= 61851:TCPORT_61851
"50976:TCP"= 50976:TCPORT_50976
"7969:TCP"= 7969:TCPORT_7969
"53946:TCP"= 53946:TCPORT_53946
"39318:TCP"= 39318:TCPORT_39318
"36441:TCP"= 36441:TCPORT_36441
"19898:TCP"= 19898:TCPORT_19898
"60117:TCP"= 60117:TCPORT_60117
"22745:TCP"= 22745:TCPORT_22745
"42332:TCP"= 42332:TCPORT_42332
"42047:TCP"= 42047:TCPORT_42047
"52636:TCP"= 52636:TCPORT_52636
"61277:TCP"= 61277:TCPORT_61277
"46133:TCP"= 46133:TCPORT_46133
"47668:TCP"= 47668:TCPORT_47668
"61133:TCP"= 61133:TCPORT_61133
"50723:TCP"= 50723:TCPORT_50723
"35555:TCP"= 35555:TCPORT_35555
"39310:TCP"= 39310:TCPORT_39310
"63652:TCP"= 63652:TCPORT_63652
"32395:TCP"= 32395:TCPORT_32395
"62996:TCP"= 62996:TCPORT_62996
"15661:TCP"= 15661:TCPORT_15661
"50660:TCP"= 50660:TCPORT_50660
"9876:TCP"= 9876:TCPORT_9876
"52277:TCP"= 52277:TCPORT_52277
"7617:TCP"= 7617:TCPORT_7617
"61907:TCP"= 61907:TCPORT_61907
"61591:TCP"= 61591:TCPORT_61591
"27903:TCP"= 27903:TCPORT_27903
"12914:TCP"= 12914:TCPORT_12914
"39586:TCP"= 39586:TCPORT_39586
"21020:TCP"= 21020:TCPORT_21020
"26961:TCP"= 26961:TCPORT_26961
"63793:TCP"= 63793:TCPORT_63793
"29532:TCP"= 29532:TCPORT_29532
"34191:TCP"= 34191:TCPORT_34191
"39040:TCP"= 39040:TCPORT_39040
"11617:TCP"= 11617:TCPORT_11617
"47707:TCP"= 47707:TCPORT_47707
"64777:TCP"= 64777:TCPORT_64777
"31969:TCP"= 31969:TCPORT_31969
"34680:TCP"= 34680:TCPORT_34680
"55169:TCP"= 55169:TCPORT_55169
"15633:TCP"= 15633:TCPORT_15633
"15639:TCP"= 15639:TCPORT_15639
"56781:TCP"= 56781:TCPORT_56781
"21963:TCP"= 21963:TCPORT_21963
"36211:TCP"= 36211:TCPORT_36211
"10633:TCP"= 10633:TCPORT_10633
"59761:TCP"= 59761:TCPORT_59761
"28845:TCP"= 28845:TCPORT_28845
"25188:TCP"= 25188:TCPORT_25188
"38476:TCP"= 38476:TCPORT_38476
"37101:TCP"= 37101:TCPORT_37101
"45395:TCP"= 45395:TCPORT_45395
"54778:TCP"= 54778:TCPORT_54778
"61242:TCP"= 61242:TCPORT_61242
"30126:TCP"= 30126:TCPORT_30126
"20163:TCP"= 20163:TCPORT_20163
"13370:TCP"= 13370:TCPORT_13370
"24243:TCP"= 24243:TCPORT_24243
"28787:TCP"= 28787:TCPORT_28787
"59664:TCP"= 59664:TCPORT_59664
"54083:TCP"= 54083:TCPORT_54083
"52309:TCP"= 52309:TCPORT_52309
"47867:TCP"= 47867:TCPORT_47867
"28707:TCP"= 28707:TCPORT_28707
"8316:TCP"= 8316:TCPORT_8316
"53845:TCP"= 53845:TCPORT_53845
"38623:TCP"= 38623:TCPORT_38623
"27751:TCP"= 27751:TCPORT_27751
"57216:TCP"= 57216:TCPORT_57216
"22296:TCP"= 22296:TCPORT_22296
"40169:TCP"= 40169:TCPORT_40169
"31951:TCP"= 31951:TCPORT_31951
"60861:TCP"= 60861:TCPORT_60861
"29360:TCP"= 29360:TCPORT_29360
"17698:TCP"= 17698:TCPORT_17698
"22682:TCP"= 22682:TCPORT_22682
"49168:TCP"= 49168:TCPORT_49168
"38108:TCP"= 38108:TCPORT_38108
"38676:TCP"= 38676:TCPORT_38676
"34872:TCP"= 34872:TCPORT_34872
"7774:TCP"= 7774:TCPORT_7774
"64654:TCP"= 64654:TCPORT_64654
"57055:TCP"= 57055:TCPORT_57055
"14985:TCP"= 14985:TCPORT_14985
"39424:TCP"= 39424:TCPORT_39424
"58918:TCP"= 58918:TCPORT_58918
"61940:TCP"= 61940:TCPORT_61940
"20266:TCP"= 20266:TCPORT_20266
"26118:TCP"= 26118:TCPORT_26118
"51526:TCP"= 51526:TCPORT_51526
"51321:TCP"= 51321:TCPORT_51321
"63461:TCP"= 63461:TCPORT_63461
"56117:TCP"= 56117:TCPORT_56117
"14488:TCP"= 14488:TCPORT_14488
"25633:TCP"= 25633:TCPORT_25633
"13040:TCP"= 13040:TCPORT_13040
"11504:TCP"= 11504:TCPORT_11504
"53707:TCP"= 53707:TCPORT_53707
"29236:TCP"= 29236:TCPORT_29236
"64555:TCP"= 64555:TCPORT_64555
"32665:TCP"= 32665:TCPORT_32665
"61191:TCP"= 61191:TCPORT_61191
"5239:TCP"= 5239:TCPORT_5239
"60273:TCP"= 60273:TCPORT_60273
"56262:TCP"= 56262:TCPORT_56262
"13141:TCP"= 13141:TCPORT_13141
"30492:TCP"= 30492:TCPORT_30492
"48684:TCP"= 48684:TCPORT_48684
"43387:TCP"= 43387:TCPORT_43387
"23258:TCP"= 23258:TCPORT_23258
"40238:TCP"= 40238:TCPORT_40238
"34195:TCP"= 34195:TCPORT_34195
"15760:TCP"= 15760:TCPORT_15760
"41340:TCP"= 41340:TCPORT_41340
"15988:TCP"= 15988:TCPORT_15988
"28095:TCP"= 28095:TCPORT_28095
"19219:TCP"= 19219:TCPORT_19219
"63101:TCP"= 63101:TCPORT_63101
"52095:TCP"= 52095:TCPORT_52095
"62851:TCP"= 62851:TCPORT_62851
"11566:TCP"= 11566:TCPORT_11566
"39816:TCP"= 39816:TCPORT_39816
"60648:TCP"= 60648:TCPORT_60648
"32978:TCP"= 32978:TCPORT_32978
"38727:TCP"= 38727:TCPORT_38727
"55582:TCP"= 55582:TCPORT_55582
"17995:TCP"= 17995:TCPORT_17995
"65338:TCP"= 65338:TCPORT_65338
"5275:TCP"= 5275:TCPORT_5275
"41947:TCP"= 41947:TCPORT_41947
"37694:TCP"= 37694:TCPORT_37694
"41351:TCP"= 41351:TCPORT_41351
"40509:TCP"= 40509:TCPORT_40509
"57071:TCP"= 57071:TCPORT_57071
"41942:TCP"= 41942:TCPORT_41942
"61930:TCP"= 61930:TCPORT_61930
"26864:TCP"= 26864:TCPORT_26864
"41169:TCP"= 41169:TCPORT_41169
"57821:TCP"= 57821:TCPORT_57821
"63882:TCP"= 63882:TCPORT_63882
"33790:TCP"= 33790:TCPORT_33790
"34753:TCP"= 34753:TCPORT_34753
"15906:TCP"= 15906:TCPORT_15906

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 3:38 PM 25824]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\drivers\SPCP825K.sys [8/14/2006 10:43 PM 26624]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [4/13/2009 6:27 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
- - - - ORPHANS REMOVED - - - -

BHO-{A5AF42A3-94F3-42BD-F634-0604832C897D} - c:\windows\system32\adhg873ujhdg.dll
HKLM-Run-USRpdA - (no file)
HKU-Default-Run-system tool - c:\windows\sysguard.exe
SharedTaskScheduler-{A5AF42A3-94F3-42BD-F634-0604832C897D} - c:\windows\system32\adhg873ujhdg.dll
Notify-WgaLogon - (no file)
SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCfox000&fl=0&ptb=KkkKgJBPq93F7D2wSCNyjw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Golden Beauty\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: musicmatch.com\online
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,69,d0,21,66,2f,03,23,4c,b9,1d,12,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,69,d0,21,66,2f,03,23,4c,b9,1d,12,\

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\VirtualExpander\VEShellExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\3cshtdwn.exe
c:\program files\Memeo\AutoBackup\MemeoBackup.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcdcoms.exe
.
**************************************************************************
.
Completion time: 2009-06-07 17:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 21:46

Pre-Run: 125,477,453,824 bytes free
Post-Run: 125,909,073,920 bytes free

468	--- E O F ---	2009-04-04 16:20

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:12 PM, on 6/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,[email protected]
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Memeo AutoBackup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Golden Beauty\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O24 - Desktop Component 1: (no name) - http://facebook.com/

--
End of file - 6276 bytes

Thank you for helping me!


----------



## flavallee (May 12, 2002)

Jocelyn:

You're welcome. 

You're in dvk01's hands now. :up:

-----------------------------------------------------------------


----------



## dvk01 (Dec 14, 2002)

does it connect now

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------

