dl . exe problem(RESOLVED)

**biggrim** · 03-05-2007

Hi everyone, I'm new here and have a bit of a problem with my PC. I've had the message pop up a couple of times relating to the dll exe file and I can't connect to the internet.

I've ran AVG spyware which removed some cookie trackers but still getting this problem.

I have also ran hijack this.

Here is my log

Logfile of HijackThis v1.99.1
Scan saved at 16:36:08, on 03/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ROYALM~1\SMARTS~1\BINARY\STRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OLP-Tray] C:\PROGRA~1\ROYALM~1\SMARTS~1\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/...aderMediaX.cab
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - https://www.promapserver.co.uk/contr...est/webmap.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Can someone please make some sense of this and tell me what I need to do to get rid of this problem?

Thanks,

Graeme

**Neal** · 03-05-2007

Welcome,

Those dll.exe files can be a real booger to figure out what it is or where it is, so...

See if this helps your internet connection...

1.) Download WinSockFix. (by: Option^Explicit)
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.

Then...

Next time you post a hijackthis log rename it like this...

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

Then...

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the desktop and double-click on it.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
The program will take longer to run, but will give us more information.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
The logfile is named 'Startup Programs' by default and will be located where the program is.

Please post the entire contents of this logfile for me to see plus a new hijackthis log that has been renamed.

Plus if you can...

Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

Thanks.

**biggrim** · 04-05-2007

Thanks for your speedy response. Please see below log files as requested.

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 09:37:26, on 04/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ROYALM~1\SMARTS~1\BINARY\STRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\foolyou.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OLP-Tray] C:\PROGRA~1\ROYALM~1\SMARTS~1\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/...aderMediaX.cab
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - https://www.promapserver.co.uk/contr...est/webmap.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Silent Runners:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Acrobat Assistant 7.0" = ""C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = "(empty string)" [file not found]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"OLP-Tray" = "C:\PROGRA~1\ROYALM~1\SMARTS~1\BINARY\STRAY.EX E" [empty string]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Wcesview.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

Default executables:
--------------------

HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open \command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Graeme\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Graeme" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe" [null data]
"AutoCAD Startup Accelerator" -> shortcut to: "C:\Program Files\Common Files\Autodesk Shared\acstart16.exe" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
HP LaserJet 5 Language Monitor\Driver = "hpdcmon.dll" ["Hewlett-Packard"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 28 seconds.
---------- (total run time: 69 seconds)

**Neal** · 04-05-2007

Did winsockfix help your internet connection?

Neither of the logs are showing malware, hijackthis or silentrunners.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Thanks.

**biggrim** · 04-05-2007

Winsock didn't help the internet connection. I've found the dl.exe file in documents and settings and deleted it but it keeps reappearing.

That link above for combofix is dead matey.

Thanks

**VopThis** · 04-05-2007

Download ComboFix from Here

**biggrim** · 04-05-2007

Here is the Combo Fix Log:

"Graeme" - 07-05-04 17:48:25 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Graeme\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))

2007-05-04 17:47 234 --a------ C:\DOCUME~1\Graeme\dl.exe
2007-05-04 17:46 234 --a------ C:\WINDOWS\system32\dl.exe
2007-05-04 16:31 182,912 --a------ C:\WINDOWS\system32\drivers\ndis.sys
2007-05-04 16:07 <DIR> d-------- C:\WINDOWS\setup.pss
2007-05-03 16:26 <DIR> d-------- C:\HJT
2007-05-03 16:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-01 15:02 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-01 15:00 40,832 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2007-05-01 15:00 20,992 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-05-01 15:00 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-05-01 15:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-01 15:00 <DIR> d-------- C:\Program Files\Motorola
2007-05-01 15:00 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-05-01 12:47 <DIR> d-------- C:\DOCUME~1\Graeme\APPLIC~1\InstallShield
2007-05-01 12:46 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-05-01 12:46 <DIR> d-------- C:\Program Files\Avanquest update
2007-05-01 12:45 92,064 --a------ C:\DOCUME~1\Graeme\mqdmmdm.sys
2007-05-01 12:45 9,232 --a------ C:\DOCUME~1\Graeme\mqdmmdfl.sys
2007-05-01 12:45 79,328 --a------ C:\DOCUME~1\Graeme\mqdmserd.sys
2007-05-01 12:45 66,656 --a------ C:\DOCUME~1\Graeme\mqdmbus.sys
2007-05-01 12:45 6,208 --a------ C:\DOCUME~1\Graeme\mqdmcmnt.sys
2007-05-01 12:45 5,936 --a------ C:\DOCUME~1\Graeme\mqdmwhnt.sys
2007-05-01 12:45 4,048 --a------ C:\DOCUME~1\Graeme\mqdmcr.sys
2007-05-01 12:45 25,600 --a------ C:\DOCUME~1\Graeme\usbsermptxp.sys
2007-05-01 12:45 22,768 --a------ C:\DOCUME~1\Graeme\usbsermpt.sys
2007-05-01 12:45 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-05-01 12:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-04-10 15:37 <DIR> d-------- C:\Program Files\PocketPool

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2007-05-04 17:08 61440 --a------ C:\WINDOWS\system32\spoolsv.exe
2007-05-04 17:08 36864 --a------ C:\WINDOWS\system32\rundll32.exe
2007-05-04 17:08 17408 --a------ C:\WINDOWS\system32\wscntfy.exe
2007-05-04 17:07 18944 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-05-04 14:04 120832 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-05-04 14:03 48128 --a------ C:\WINDOWS\system32\alg.exe
2007-05-03 09:58 99328 --a------ C:\WINDOWS\system32\scardsvr.exe
2007-05-03 09:58 9728 --a------ C:\WINDOWS\system32\msdtc.exe
2007-05-03 09:58 93184 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-05-03 09:58 9216 --a------ C:\WINDOWS\system32\write.exe
2007-05-03 09:58 9216 --a------ C:\WINDOWS\system32\winver.exe
2007-05-03 09:58 89600 --a------ C:\WINDOWS\system32\netsh.exe
2007-05-03 09:58 82944 --a------ C:\WINDOWS\system32\msiexec.exe
2007-05-03 09:58 81920 --a------ C:\WINDOWS\system32\usrmlnka.exe
2007-05-03 09:58 8192 --a------ C:\WINDOWS\system32\unlodctr.exe
2007-05-03 09:58 8192 --a------ C:\WINDOWS\system32\regwiz.exe
2007-05-03 09:58 8192 --a------ C:\WINDOWS\system32\nddeapir.exe
2007-05-03 09:58 81408 --a------ C:\WINDOWS\system32\shrpubw.exe
2007-05-03 09:58 81408 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-05-03 09:58 80896 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-05-03 09:58 80384 --a------ C:\WINDOWS\system32\nslookup.exe
2007-05-03 09:58 79360 --a------ C:\WINDOWS\system32\telnet.exe
2007-05-03 09:58 73728 --a------ C:\WINDOWS\system32\usrshuta.exe
2007-05-03 09:58 73728 --a------ C:\WINDOWS\system32\sigverif.exe
2007-05-03 09:58 73728 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-05-03 09:58 72704 --a------ C:\WINDOWS\system32\notepad.exe
2007-05-03 09:58 7168 --a------ C:\WINDOWS\system32\systray.exe
2007-05-03 09:58 7168 --a------ C:\WINDOWS\system32\regedt32.exe
2007-05-03 09:58 70656 --a------ C:\WINDOWS\system32\rdshost.exe
2007-05-03 09:58 69120 --a------ C:\WINDOWS\system32\wextract.exe
2007-05-03 09:58 66560 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-05-03 09:58 65536 --a------ C:\WINDOWS\system32\usrprbda.exe
2007-05-03 09:58 61952 --a------ C:\WINDOWS\system32\packager.exe
2007-05-03 09:58 60416 --a------ C:\WINDOWS\system32\sol.exe
2007-05-03 09:58 60416 --a------ C:\WINDOWS\system32\rasphone.exe
2007-05-03 09:58 57856 --a------ C:\WINDOWS\system32\narrator.exe
2007-05-03 09:58 54784 --a------ C:\WINDOWS\system32\syncapp.exe
2007-05-03 09:58 542208 --a------ C:\WINDOWS\system32\spider.exe
2007-05-03 09:58 53760 --a------ C:\WINDOWS\system32\utilman.exe
2007-05-03 09:58 53760 --a------ C:\WINDOWS\system32\reg.exe
2007-05-03 09:58 53760 --a------ C:\WINDOWS\system32\proquota.exe
2007-05-03 09:58 53248 --a------ C:\WINDOWS\system32\w32tm.exe
2007-05-03 09:58 52736 --a------ C:\WINDOWS\system32\rsmui.exe
2007-05-03 09:58 52736 --a------ C:\WINDOWS\system32\rsm.exe
2007-05-03 09:58 52736 --a------ C:\WINDOWS\system32\powercfg.exe
2007-05-03 09:58 49152 --a------ C:\WINDOWS\system32\mshta.exe
2007-05-03 09:58 48128 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-05-03 09:58 46592 --a------ C:\WINDOWS\system32\net.exe
2007-05-03 09:58 46080 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-05-03 09:58 44032 --a------ C:\WINDOWS\system32\osuninst.exe
2007-05-03 09:58 437248 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2007-05-03 09:58 423936 --a------ C:\WINDOWS\system32\ntvdm.exe
2007-05-03 09:58 411136 --a------ C:\WINDOWS\system32\mstsc.exe
2007-05-03 09:58 40448 --a------ C:\WINDOWS\system32\syskey.exe
2007-05-03 09:58 40448 --a------ C:\WINDOWS\system32\netstat.exe
2007-05-03 09:58 39424 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-05-03 09:58 38912 --a------ C:\WINDOWS\system32\winchat.exe
2007-05-03 09:58 37888 --a------ C:\WINDOWS\system32\regini.exe
2007-05-03 09:58 37376 --a------ C:\WINDOWS\system32\vssadmin.exe
2007-05-03 09:58 36864 --a------ C:\WINDOWS\system32\ping6.exe
2007-05-03 09:58 36864 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-05-03 09:58 35840 --a------ C:\WINDOWS\system32\wupdmgr.exe
2007-05-03 09:58 35840 --a------ C:\WINDOWS\system32\wpnpinst.exe
2007-05-03 09:58 35840 --a------ C:\WINDOWS\system32\wpabaln.exe
2007-05-03 09:58 35328 --a------ C:\WINDOWS\system32\tracert6.exe
2007-05-03 09:58 35328 --a------ C:\WINDOWS\system32\sethc.exe
2007-05-03 09:58 35328 --a------ C:\WINDOWS\system32\ntsd.exe
2007-05-03 09:58 350720 --a------ C:\WINDOWS\system32\tourstart.exe
2007-05-03 09:58 34816 --a------ C:\WINDOWS\system32\xcopy.exe
2007-05-03 09:58 34816 --a------ C:\WINDOWS\system32\sc.exe
2007-05-03 09:58 346624 --a------ C:\WINDOWS\system32\mspaint.exe
2007-05-03 09:58 335872 --a------ C:\WINDOWS\system32\netsetup.exe
2007-05-03 09:58 33280 --a------ C:\WINDOWS\system32\xmlinst.exe
2007-05-03 09:58 32768 --a------ C:\WINDOWS\system32\verclsid.exe
2007-05-03 09:58 30208 --a------ C:\WINDOWS\system32\skeys.exe
2007-05-03 09:58 293376 --a------ C:\WINDOWS\system32\vssvc.exe
2007-05-03 09:58 29184 --a------ C:\WINDOWS\twunk_32.exe
2007-05-03 09:58 29184 --a------ C:\WINDOWS\system32\routemon.exe
2007-05-03 09:58 287232 --a------ C:\WINDOWS\winhlp32.exe
2007-05-03 09:58 28160 --a------ C:\WINDOWS\system32\userinit.exe
2007-05-03 09:58 28160 --a------ C:\WINDOWS\system32\rsmsink.exe
2007-05-03 09:58 27136 --a------ C:\WINDOWS\system32\sort.exe
2007-05-03 09:58 26624 --a------ C:\WINDOWS\system32\setup.exe
2007-05-03 09:58 25600 --a------ C:\WINDOWS\system32\qwinsta.exe
2007-05-03 09:58 25088 --a------ C:\WINDOWS\system32\rcp.exe
2007-05-03 09:58 25088 --a------ C:\WINDOWS\system32\pathping.exe
2007-05-03 09:58 24576 --a------ C:\WINDOWS\system32\msg.exe
2007-05-03 09:58 241664 --a------ C:\WINDOWS\system32\nctaudioconvert3.exe
2007-05-03 09:58 24064 --a------ C:\WINDOWS\system32\qprocess.exe
2007-05-03 09:58 24064 --a------ C:\WINDOWS\system32\nbtstat.exe
2007-05-03 09:58 23552 --a------ C:\WINDOWS\system32\tcpsvcs.exe
2007-05-03 09:58 23552 --a------ C:\WINDOWS\system32\shutdown.exe
2007-05-03 09:58 23552 --a------ C:\WINDOWS\system32\route.exe
2007-05-03 09:58 22528 --a------ C:\WINDOWS\system32\ups.exe
2007-05-03 09:58 219136 --a------ C:\WINDOWS\system32\osk.exe
2007-05-03 09:58 21504 --a------ C:\WINDOWS\system32\ping.exe
2007-05-03 09:58 20992 --a------ C:\WINDOWS\system32\wpdshextautoplay.exe
2007-05-03 09:58 20992 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-03 09:58 20480 --a------ C:\WINDOWS\system32\upnpcont.exe
2007-05-03 09:58 20480 --a------ C:\WINDOWS\system32\tsshutdn.exe
2007-05-03 09:58 20480 --a------ C:\WINDOWS\system32\tftp.exe
2007-05-03 09:58 20480 --a------ C:\WINDOWS\system32\qappsrv.exe
2007-05-03 09:58 19968 --a------ C:\WINDOWS\system32\tskill.exe
2007-05-03 09:58 19968 --a------ C:\WINDOWS\system32\runas.exe
2007-05-03 09:58 19456 --a------ C:\WINDOWS\system32\rwinsta.exe
2007-05-03 09:58 19456 --a------ C:\WINDOWS\system32\perfmon.exe
2007-05-03 09:58 193536 --a------ C:\WINDOWS\system32\wisptis.exe
2007-05-03 09:58 18944 --a------ C:\WINDOWS\taskman.exe
2007-05-03 09:58 18944 --a------ C:\WINDOWS\system32\tscon.exe
2007-05-03 09:58 18944 --a------ C:\WINDOWS\system32\taskman.exe
2007-05-03 09:58 18944 --a------ C:\WINDOWS\system32\pentnt.exe
2007-05-03 09:58 18432 --a------ C:\WINDOWS\system32\tsdiscon.exe
2007-05-03 09:58 18432 --a------ C:\WINDOWS\system32\stimon.exe
2007-05-03 09:58 18432 --a------ C:\WINDOWS\system32\shadow.exe
2007-05-03 09:58 18432 --a------ C:\WINDOWS\system32\rsh.exe
2007-05-03 09:58 17920 --a------ C:\WINDOWS\system32\runonce.exe
2007-05-03 09:58 17408 --a------ C:\WINDOWS\system32\rexec.exe
2007-05-03 09:58 17408 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-05-03 09:58 169472 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-03 09:58 16896 --a------ C:\WINDOWS\system32\savedump.exe
2007-05-03 09:58 16896 --a------ C:\WINDOWS\system32\replace.exe
2007-05-03 09:58 16384 --a------ C:\WINDOWS\system32\tracert.exe
2007-05-03 09:58 15872 --a------ C:\WINDOWS\system32\tcmsetup.exe
2007-05-03 09:58 15872 --a------ C:\WINDOWS\system32\mstinit.exe
2007-05-03 09:58 15360 --a------ C:\WINDOWS\system32\winmsd.exe
2007-05-03 09:58 15360 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-05-03 09:58 15360 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-05-03 09:58 15360 --a------ C:\WINDOWS\system32\rasdial.exe
2007-05-03 09:58 15360 --a------ C:\WINDOWS\system32\rasautou.exe
2007-05-03 09:58 150528 --a------ C:\WINDOWS\system32\wudfhost.exe
2007-05-03 09:58 144384 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-05-03 09:58 142848 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-05-03 09:58 139264 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-05-03 09:58 13824 --a------ C:\WINDOWS\system32\sprestrt.exe
2007-05-03 09:58 136704 --a------ C:\WINDOWS\system32\rsvp.exe
2007-05-03 09:58 135168 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-05-03 09:58 13312 --a------ C:\WINDOWS\system32\subst.exe
2007-05-03 09:58 13312 --a------ C:\WINDOWS\system32\sfc.exe
2007-05-03 09:58 13312 --a------ C:\WINDOWS\system32\reset.exe
2007-05-03 09:58 13312 --a------ C:\WINDOWS\system32\print.exe
2007-05-03 09:58 131072 --a------ C:\WINDOWS\system32\mshearts.exe
2007-05-03 09:58 129024 --a------ C:\WINDOWS\system32\net1.exe
2007-05-03 09:58 12800 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-05-03 09:58 123392 --a------ C:\WINDOWS\system32\winmine.exe
2007-05-03 09:58 12288 --a------ C:\WINDOWS\system32\wdfmgr.exe
2007-05-03 09:58 12288 --a------ C:\WINDOWS\system32\uwdf.exe
2007-05-03 09:58 118784 --a------ C:\WINDOWS\system32\wscript.exe
2007-05-03 09:58 11776 --a------ C:\WINDOWS\system32\winhlp32.exe
2007-05-03 09:58 11776 --a------ C:\WINDOWS\system32\smbinst.exe
2007-05-03 09:58 114688 --a------ C:\WINDOWS\system32\netdde.exe
2007-05-03 09:58 113664 --a------ C:\WINDOWS\system32\progman.exe
2007-05-03 09:58 11264 --a------ C:\WINDOWS\system32\recover.exe
2007-05-03 09:58 110080 --a------ C:\WINDOWS\system32\sysocmgr.exe
2007-05-03 09:58 10240 --a------ C:\WINDOWS\system32\msswchx.exe
2007-05-03 09:58 101888 --a------ C:\WINDOWS\system32\verifier.exe
2007-05-03 09:57 9728 --a------ C:\WINDOWS\system32\lpq.exe
2007-05-03 09:57 9216 --a------ C:\WINDOWS\system32\lodctr.exe
2007-05-03 09:57 89600 --a------ C:\WINDOWS\system32\makecab.exe
2007-05-03 09:57 87040 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-05-03 09:57 8704 --a------ C:\WINDOWS\system32\dllhst3g.exe
2007-05-03 09:57 818688 --a------ C:\WINDOWS\system32\mmc.exe
2007-05-03 09:57 79360 --a------ C:\WINDOWS\system32\locator.exe
2007-05-03 09:57 76288 --a------ C:\WINDOWS\system32\magnify.exe
2007-05-03 09:57 7168 --a------ C:\WINDOWS\system32\fixmapi.exe
2007-05-03 09:57 62976 --a------ C:\WINDOWS\system32\logman.exe
2007-05-03 09:57 59904 --a------ C:\WINDOWS\system32\fsutil.exe
2007-05-03 09:57 59392 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-05-03 09:57 58880 --a------ C:\WINDOWS\system32\freecell.exe
2007-05-03 09:57 58880 --a------ C:\WINDOWS\system32\dvdplay.exe
2007-05-03 09:57 57344 --a------ C:\WINDOWS\system32\ipv6.exe
2007-05-03 09:57 55808 --a------ C:\WINDOWS\system32\migpwd.exe
2007-05-03 09:57 518656 --a------ C:\WINDOWS\system32\logonui.exe
2007-05-03 09:57 49152 --a------ C:\WINDOWS\system32\extrac32.exe
2007-05-03 09:57 49152 --a------ C:\WINDOWS\system32\drwtsn32.exe
2007-05-03 09:57 48128 --a------ C:\WINDOWS\system32\ipsec6.exe
2007-05-03 09:57 46080 --a------ C:\WINDOWS\system32\ftp.exe
2007-05-03 09:57 43008 --a------ C:\WINDOWS\system32\grpconv.exe
2007-05-03 09:57 43008 --a------ C:\WINDOWS\system32\esentutl.exe
2007-05-03 09:57 41472 --a------ C:\WINDOWS\system32\mapisrvr.exe
2007-05-03 09:57 36864 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-05-03 09:57 33792 --a------ C:\WINDOWS\system32\lights.exe
2007-05-03 09:57 33792 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-05-03 09:57 30720 --a------ C:\WINDOWS\system32\findstr.exe
2007-05-03 09:57 28672 --a------ C:\WINDOWS\system32\lnkstub.exe
2007-05-03 09:57 27136 --a------ C:\WINDOWS\system32\ipxroute.exe
2007-05-03 09:57 27136 --a------ C:\WINDOWS\system32\fltmc.exe
2007-05-03 09:57 25600 --a------ C:\WINDOWS\system32\mpnotify.exe
2007-05-03 09:57 253440 --a------ C:\WINDOWS\system32\drmupgds.exe
2007-05-03 09:57 25088 --a------ C:\WINDOWS\system32\fontview.exe
2007-05-03 09:57 228864 --a------ C:\WINDOWS\system32\dmadmin.exe
2007-05-03 09:57 22016 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-05-03 09:57 21504 --a------ C:\WINDOWS\system32\dvdupgrd.exe
2007-05-03 09:57 196608 --a------ C:\WINDOWS\system32\fsquirt.exe
2007-05-03 09:57 196608 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-05-03 09:57 19456 --a------ C:\WINDOWS\system32\expand.exe
2007-05-03 09:57 19456 --a------ C:\WINDOWS\system32\dmremote.exe
2007-05-03 09:57 18944 --a------ C:\WINDOWS\system32\logoff.exe
2007-05-03 09:57 18944 --a------ C:\WINDOWS\system32\fc.exe
2007-05-03 09:57 184320 --a------ C:\WINDOWS\system32\dwwin.exe
2007-05-03 09:57 18432 --a------ C:\WINDOWS\system32\help.exe
2007-05-03 09:57 16896 --a------ C:\WINDOWS\system32\mrinfo.exe
2007-05-03 09:57 156672 --a------ C:\WINDOWS\system32\irftp.exe
2007-05-03 09:57 153600 --a------ C:\WINDOWS\system32\imapi.exe
2007-05-03 09:57 14848 --a------ C:\WINDOWS\system32\doskey.exe
2007-05-03 09:57 147456 --a------ C:\WINDOWS\system32\mobsync.exe
2007-05-03 09:57 14336 --a------ C:\WINDOWS\system32\dumprep.exe
2007-05-03 09:57 13824 --a------ C:\WINDOWS\system32\label.exe
2007-05-03 09:57 13312 --a------ C:\WINDOWS\system32\find.exe
2007-05-03 09:57 1302528 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-05-03 09:57 12800 --a------ C:\WINDOWS\system32\finger.exe
2007-05-03 09:57 126976 --a------ C:\WINDOWS\system32\mplay32.exe
2007-05-03 09:57 12288 --a------ C:\WINDOWS\system32\eventvwr.exe
2007-05-03 09:57 118272 --a------ C:\WINDOWS\system32\iexpress.exe
2007-05-03 09:57 11776 --a------ C:\WINDOWS\system32\mountvol.exe
2007-05-03 09:57 11776 --a------ C:\WINDOWS\system32\lpr.exe
2007-05-03 09:57 11776 --a------ C:\WINDOWS\system32\hostname.exe
2007-05-03 09:57 10752 --a------ C:\WINDOWS\system32\forcedos.exe
2007-05-03 09:57 104448 --a------ C:\WINDOWS\system32\logagent.exe
2007-05-03 09:56 9728 --a------ C:\WINDOWS\system32\cisvc.exe
2007-05-03 09:56 89600 --a------ C:\WINDOWS\system32\diantz.exe
2007-05-03 09:56 8704 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2007-05-03 09:56 8704 --a------ C:\WINDOWS\system32\bootvrfy.exe
2007-05-03 09:56 86016 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-05-03 09:56 83968 --a------ C:\WINDOWS\system32\charmap.exe
2007-05-03 09:56 8192 --a------ C:\WINDOWS\system32\bootok.exe
2007-05-03 09:56 8192 --a------ C:\WINDOWS\system32\actmovie.exe
2007-05-03 09:56 76800 --a------ C:\WINDOWS\st6unst.exe
2007-05-03 09:56 75264 --a------ C:\WINDOWS\system32\blastcln.exe
2007-05-03 09:56 67584 --a------ C:\WINDOWS\system32\cmstp.exe
2007-05-03 09:56 67584 --a------ C:\WINDOWS\system32\cleanmgr.exe
2007-05-03 09:56 606208 --a------ C:\WINDOWS\system32\autoconv.exe
2007-05-03 09:56 592384 --a------ C:\WINDOWS\system32\autochk.exe
2007-05-03 09:56 584704 --a------ C:\WINDOWS\system32\autofmt.exe
2007-05-03 09:56 50688 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-05-03 09:56 43520 --a------ C:\WINDOWS\system32\cmmon32.exe
2007-05-03 09:56 392192 --a------ C:\WINDOWS\system32\cmd.exe
2007-05-03 09:56 37376 --a------ C:\WINDOWS\system32\clipsrv.exe
2007-05-03 09:56 33792 --a------ C:\WINDOWS\system32\ddeshare.exe
2007-05-03 09:56 31232 --a------ C:\WINDOWS\system32\conime.exe
2007-05-03 09:56 28672 --a------ C:\WINDOWS\system32\defrag.exe
2007-05-03 09:56 28672 --a------ C:\WINDOWS\system32\at.exe
2007-05-03 09:56 249856 --a------ C:\WINDOWS\setup1.exe
2007-05-03 09:56 24576 --a------ C:\WINDOWS\system32\cliconfg.exe
2007-05-03 09:56 23040 --a------ C:\WINDOWS\system32\arp.exe
2007-05-03 09:56 225280 --a------ C:\WINDOWS\system32\acsignopt.exe
2007-05-03 09:56 22016 --a------ C:\WINDOWS\system32\cacls.exe
2007-05-03 09:56 21504 --a------ C:\WINDOWS\system32\diskperf.exe
2007-05-03 09:56 21504 --a------ C:\WINDOWS\system32\compact.exe
2007-05-03 09:56 19968 --a------ C:\WINDOWS\system32\comp.exe
2007-05-03 09:56 187392 --a------ C:\WINDOWS\system32\accwiz.exe
2007-05-03 09:56 18432 --a------ C:\WINDOWS\system32\auditusr.exe
2007-05-03 09:56 17920 --a------ C:\WINDOWS\system32\convert.exe
2007-05-03 09:56 167424 --a------ C:\WINDOWS\system32\diskpart.exe
2007-05-03 09:56 15872 --a------ C:\WINDOWS\system32\chkdsk.exe
2007-05-03 09:56 15360 --a------ C:\WINDOWS\system32\chkntfs.exe
2007-05-03 09:56 15360 --a------ C:\WINDOWS\system32\attrib.exe
2007-05-03 09:56 150016 --a------ C:\WINDOWS\regedit.exe
2007-05-03 09:56 14848 --a------ C:\WINDOWS\system32\autolfn.exe
2007-05-03 09:56 14848 --a------ C:\WINDOWS\system32\atmadm.exe
2007-05-03 09:56 12288 --a------ C:\WINDOWS\system32\cidaemon.exe
2007-05-03 09:56 118272 --a------ C:\WINDOWS\system32\calc.exe
2007-05-03 09:56 11776 --a------ C:\WINDOWS\system32\control.exe
2007-05-03 09:56 11776 --a------ C:\WINDOWS\system32\ckcnv.exe
2007-05-03 09:56 106496 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-05-03 09:56 102400 --a------ C:\WINDOWS\system32\cscript.exe
2007-05-03 09:56 101888 --a------ C:\WINDOWS\system32\ahui.exe
2007-05-03 09:55 72704 --a------ C:\WINDOWS\notepad.exe
2007-05-03 09:55 41984 --a------ C:\WINDOWS\hpltlnk.exe
2007-05-03 09:55 310272 --a------ C:\WINDOWS\isuninst.exe
2007-05-03 09:55 14336 --a------ C:\WINDOWS\hh.exe
2007-05-01 12:46 -------- d--h----- C:\Program Files\installshield installation information
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 10:57 -------- d-------- C:\Program Files\ralink
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"OLP-Tray"="C:\\PROGRA~1\\ROYALM~1\\SMARTS~1\\BINARY\\S TRAY.EXE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{c2eb7df2-7f98-11db-8eae-003018736265}]
Shell\AutoRun\command D:\InstallTomTomHOME.exe

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 17:50:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

************************************************** ******************

Completion time: 07-05-04 17:50:34
C:\ComboFix-quarantined-files.txt ... 07-05-04 17:50

**Neal** · 04-05-2007

Well that is bad news all around, it appears you have what is called win32 Bagz worm.

BitDefender has a removal tool for that worm but not sure if it is the same variant you have. You may be able to burn to disk the tool from here:

www.bitdefender.com/site/Download/browseFreeRemovalTool/

Look for this: Win32.Bagz.B@mm

That worm you have infects other files and turns off firewall and other stuff like internet as you well know. If that doesn't work above then we can try manually with a file killing tool but keep in mind a reformat may be in the near future.

Thanks Vince for the assistance with combofix link mine has been updated now.

**biggrim** · 04-05-2007

Thanks guys.

I'll have a bash at it on tuesday and keep you posted. A re-format wouldn't be the end of the world I suppose :rolleye:

**Neal** · 04-05-2007

The bad thing about the infection is you can't get on the internet to do some online scans which you need bad.

I searched the net for stand alone tool to remove that worm and only came up with one.

We can try the killBox tool later if you want but like I said there may be an awful lot of corruption going on there and apparently the infection comes thru emails and email attachments.

Let us know how it goes.

dl . exe problem(RESOLVED)

dl . exe problem(RESOLVED)

Similar Threads

[Resolved] Serious problem - please help!!!

cid pop-up problem(RESOLVED)

CiD Problem (RESOLVED)

CiD Problem (RESOLVED)