Client infected with Dialer

Hello All,
Comodo has been great stuff for pretty much everyone. ;D
However, I recently installed Comodo CIS 5 on a client’s PC running dial-up. It was fine until they visited a website called “Jobs.net” which, according to them, redirected the PC several times and then disconnected them from the internet. It then proceeded to auto-dial (which is some what normal since they have it set to re-dial upon disconnect) , but now every time the computer is started it immediately dials by itself. The computer is now set to not auto-dial and it still persists. The number it is dialing is the valid user’s ISP. None of the Comodo logs reveal any Defense + or Firewall entries. It was set to Safe Mode. I changed it to Paranoid and Custom Policy mode to see if anything would jump out or call home. No luck.
The user recently uninstalled Avira and is using solely Comodo for protection (which is a minor problem since the 101MB A/V updates haven’t been downloading).

I proceeded to run ProcessHacker and revealed that the application calling up the dial-up window is:

rasautou.exe 5.1.2 Remote Access Dialer

MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 3240 ( 920) C:\WINDOWS\system32\rasautou.exe
size: 11776


It is launched during random times a few moments after system startup with several random parameters from CMD:

rasautou -a "safebrowsing.clients.google.com" -e "MyISP" rasautou -a "fls.security.comodo.com" -e "MyISP"
I left Wireshark run for some time and didn't catch anything other than this line, [i]perhaps[/i] coincidental?

845 2260.048828 221.148.81.46 12.183.1.63 TCP 41758 > ftp [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=945337095 TSER=0 WS=2

846 2263.095703 221.148.81.46 12.183.1.63 TCP 41758 > ftp [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=945340095 TSER=0 WS=2


The IP seems rogue: http://www.trustedsource.org/query/221.148.81.46

I have run ComoboFix:

ComboFix 10-09-22.06 - TJ 09/23/2010 14:27:19.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.526 [GMT -4:00] Running from: c:\documents and settings\TJ\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C} AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000} AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C} AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AutoRun.ini
c:\windows\system\Color

.
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-23 14:24 . 2010-09-23 14:24 -------- d-----w- c:\documents and settings\TJ\Application Data\Wireshark
2010-09-23 14:00 . 2010-09-23 14:00 -------- d-----w- c:\documents and settings\TJ\Application Data\Process Hacker 2
2010-09-18 03:33 . 2010-09-18 03:33 -------- d-----w- C:\VritualRoot
2010-09-18 03:32 . 2010-09-18 03:32 -------- d-sh–w- c:\documents and settings\NetworkService\IETldCache
2010-09-18 03:31 . 2010-09-23 13:58 310448 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-09-18 03:28 . 2010-09-18 03:28 -------- d-----w- c:\program files\COMODO
2010-09-18 03:27 . 2010-09-18 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2010-09-18 03:26 . 2010-09-18 03:26 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-09-18 02:13 . 2010-06-08 16:10 790528 ----a-w- c:\windows\system32\xvidcore.dll
2010-09-18 02:13 . 2010-06-08 16:10 134144 ----a-w- c:\windows\system32\xvidvfw.dll
2010-09-18 02:13 . 2010-09-14 08:00 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-11 03:41 . 2010-09-11 03:41 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-11 03:40 . 2010-09-11 03:40 91560 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-09-11 03:40 . 2010-09-11 03:40 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-11 03:40 . 2010-09-11 03:40 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-11 03:40 . 2010-09-11 03:40 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-09-09 16:14 . 2010-09-18 04:23 -------- d-----w- c:\program files\DivX
2010-09-09 16:09 . 2008-04-14 09:42 116224 -c–a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-09-09 16:08 . 2001-08-18 02:36 23040 -c–a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-09-09 16:08 . 2008-04-14 09:42 18944 -c–a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-09-09 16:08 . 2001-08-18 02:37 27648 -c–a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-09-09 16:08 . 2001-08-18 02:37 4608 -c–a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-09-09 16:08 . 2001-08-18 02:37 99865 -c–a-w- c:\windows\system32\dllcache\xlog.exe
2010-09-09 16:08 . 2001-08-17 16:11 16970 -c–a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-09-09 16:08 . 2008-04-14 02:04 19455 -c–a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-09-09 16:08 . 2008-04-14 04:16 19200 -c–a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-09-09 16:08 . 2008-04-14 02:04 12063 -c–a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-09-09 16:08 . 2008-04-14 09:42 8192 -c–a-w- c:\windows\system32\dllcache\wshirda.dll
2010-09-09 16:07 . 2008-04-14 04:06 8832 -c–a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-09-09 16:07 . 2008-04-14 02:05 154624 -c–a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-09-09 16:07 . 2001-08-17 16:12 34890 -c–a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-09-09 16:07 . 2001-08-17 17:28 771581 -c–a-w- c:\windows\system32\dllcache\winacisa.sys
2010-09-09 16:07 . 2001-08-18 02:36 53760 -c–a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-09-09 16:07 . 2001-08-18 02:36 87040 -c–a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-09-09 16:05 . 2001-08-17 16:13 19528 -c–a-w- c:\windows\system32\dllcache\w840nd.sys
2010-09-09 16:05 . 2004-08-04 12:00 48256 -c–a-w- c:\windows\system32\dllcache\w32.dll
2010-09-09 16:05 . 2001-08-17 17:28 64605 -c–a-w- c:\windows\system32\dllcache\vvoice.sys
2010-09-09 16:05 . 2001-08-17 17:28 397502 -c–a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-09-09 16:05 . 2001-08-17 17:28 604253 -c–a-w- c:\windows\system32\dllcache\vmodem.sys
2010-09-09 16:05 . 2001-08-17 16:14 249402 -c–a-w- c:\windows\system32\dllcache\vinwm.sys
2010-09-09 16:05 . 2001-08-17 17:49 24576 -c–a-w- c:\windows\system32\dllcache\viairda.sys
2010-09-09 16:04 . 2008-04-14 09:42 53760 -c–a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-09-09 16:04 . 2001-08-17 17:28 687999 -c–a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2010-09-09 16:04 . 2001-08-17 17:28 765884 -c–a-w- c:\windows\system32\dllcache\usrti.sys
2010-09-09 16:04 . 2001-08-17 17:28 113762 -c–a-w- c:\windows\system32\dllcache\usrpda.sys
2010-09-09 16:04 . 2001-08-17 17:28 7556 -c–a-w- c:\windows\system32\dllcache\usroslba.sys
2010-09-09 16:04 . 2001-08-17 17:28 224802 -c–a-w- c:\windows\system32\dllcache\usr1807a.sys
2010-09-09 16:03 . 2001-08-17 17:28 794399 -c–a-w- c:\windows\system32\dllcache\usr1806v.sys
2010-09-09 16:03 . 2001-08-17 17:28 793598 -c–a-w- c:\windows\system32\dllcache\usr1806.sys
2010-09-09 16:03 . 2001-08-17 17:28 794654 -c–a-w- c:\windows\system32\dllcache\usr1801.sys
2010-09-09 16:03 . 2008-04-14 04:15 26112 -c–a-w- c:\windows\system32\dllcache\usbser.sys
2010-09-09 16:03 . 2008-04-14 04:17 25856 -c–a-w- c:\windows\system32\dllcache\usbprint.sys
2010-09-09 16:03 . 2008-04-14 04:15 17152 -c–a-w- c:\windows\system32\dllcache\usbohci.sys
2010-09-09 16:03 . 2008-04-14 04:15 60032 -c–a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-09-09 16:03 . 2008-04-14 02:05 32384 -c–a-w- c:\windows\system32\dllcache\usb101et.sys
2010-09-09 16:03 . 2001-08-18 02:36 28160 -c–a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-09-09 16:03 . 2001-08-18 02:36 26624 -c–a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-09-09 16:02 . 2001-08-17 17:58 22912 -c–a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-09-09 16:02 . 2001-08-18 02:36 50176 -c–a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-09-09 16:02 . 2001-08-18 02:36 47616 -c–a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-09-09 16:02 . 2001-08-18 02:36 211968 -c–a-w- c:\windows\system32\dllcache\um54scan.dll
2010-09-09 16:02 . 2001-08-18 02:36 216064 -c–a-w- c:\windows\system32\dllcache\um34scan.dll
2010-09-09 16:02 . 2001-08-17 17:52 36736 -c–a-w- c:\windows\system32\dllcache\ultra.sys
2010-09-09 16:01 . 2001-08-17 17:48 11520 -c–a-w- c:\windows\system32\dllcache\twotrack.sys
2010-09-09 16:01 . 2004-08-04 12:00 14336 -c–a-w- c:\windows\system32\dllcache\tsprof.exe
2010-09-09 16:01 . 2001-08-17 16:51 166784 -c–a-w- c:\windows\system32\dllcache\tridxpm.sys
2010-09-09 16:01 . 2001-08-18 02:36 525568 -c–a-w- c:\windows\system32\dllcache\tridxp.dll
2010-09-09 16:01 . 2001-08-17 16:51 159232 -c–a-w- c:\windows\system32\dllcache\tridkbm.sys
2010-09-09 16:01 . 2001-08-17 18:56 440576 -c–a-w- c:\windows\system32\dllcache\tridkb.dll
2010-09-09 16:01 . 2001-08-17 16:51 222336 -c–a-w- c:\windows\system32\dllcache\trid3dm.sys
2010-09-09 16:00 . 2001-08-17 18:56 315520 -c–a-w- c:\windows\system32\dllcache\trid3d.dll
2010-09-09 16:00 . 2001-08-17 16:12 34375 -c–a-w- c:\windows\system32\dllcache\tpro4.sys
2010-09-09 16:00 . 2001-08-18 02:35 42496 -c–a-w- c:\windows\system32\dllcache\tp4res.dll
2010-09-09 16:00 . 2008-04-14 09:42 82944 -c–a-w- c:\windows\system32\dllcache\tp4mon.exe
2010-09-09 16:00 . 2001-08-18 02:36 31744 -c–a-w- c:\windows\system32\dllcache\tp4.dll
2010-09-09 16:00 . 2001-08-17 17:51 4992 -c–a-w- c:\windows\system32\dllcache\toside.sys
2010-09-09 16:00 . 2001-08-17 18:02 230912 -c–a-w- c:\windows\system32\dllcache\tosdvd03.sys
2010-09-09 15:59 . 2001-08-17 18:01 241664 -c–a-w- c:\windows\system32\dllcache\tosdvd02.sys
2010-09-09 15:59 . 2001-08-17 16:10 28232 -c–a-w- c:\windows\system32\dllcache\tos4mo.sys
2010-09-09 15:59 . 2001-08-17 16:14 123995 -c–a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-09-09 15:59 . 2004-08-04 12:00 185344 -c–a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-09-09 15:59 . 2001-08-17 16:51 138528 -c–a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-09-09 15:59 . 2001-08-17 18:56 81408 -c–a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-09-09 15:59 . 2008-04-14 04:10 149376 -c–a-w- c:\windows\system32\dllcache\tffsport.sys
2010-09-09 15:59 . 2004-08-04 12:00 19464 -c–a-w- c:\windows\system32\dllcache\tdspx.sys
2010-09-09 15:59 . 2001-08-17 16:13 17129 -c–a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-09-09 15:58 . 2001-08-17 16:13 37961 -c–a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-09-09 15:58 . 2004-08-04 12:00 21896 -c–a-w- c:\windows\system32\dllcache\tdipx.sys
2010-09-09 15:58 . 2004-08-04 12:00 13192 -c–a-w- c:\windows\system32\dllcache\tdasync.sys
2010-09-09 15:58 . 2001-08-17 17:49 30464 -c–a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-09-09 15:58 . 2001-08-17 17:52 7040 -c–a-w- c:\windows\system32\dllcache\tandqic.sys
2010-09-09 15:58 . 2001-08-17 16:50 36640 -c–a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-09-09 15:58 . 2001-08-17 18:56 172768 -c–a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-09-09 15:58 . 2001-08-17 18:07 32640 -c–a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-09-09 15:57 . 2001-08-17 18:07 16256 -c–a-w- c:\windows\system32\dllcache\symc810.sys
2010-09-09 15:57 . 2001-08-17 18:07 30688 -c–a-w- c:\windows\system32\dllcache\sym_u3.sys
2010-09-09 15:57 . 2001-08-17 18:07 28384 -c–a-w- c:\windows\system32\dllcache\sym_hi.sys
2010-09-09 15:57 . 2001-08-18 02:36 94293 -c–a-w- c:\windows\system32\dllcache\sxports.dll
2010-09-09 15:57 . 2001-08-17 17:50 103936 -c–a-w- c:\windows\system32\dllcache\sx.sys
2010-09-09 15:57 . 2001-08-17 18:02 3968 -c–a-w- c:\windows\system32\dllcache\swusbflt.sys
2010-09-09 15:57 . 2001-08-18 02:36 10240 -c–a-w- c:\windows\system32\dllcache\swpidflt.dll
2010-09-09 15:56 . 2001-08-18 02:36 10240 -c–a-w- c:\windows\system32\dllcache\swpdflt2.dll
2010-09-09 15:56 . 2001-08-18 02:36 53760 -c–a-w- c:\windows\system32\dllcache\sw_wheel.dll
2010-09-09 15:56 . 2001-08-18 02:36 41472 -c–a-w- c:\windows\system32\dllcache\sw_effct.dll
2010-09-09 15:56 . 2008-04-14 04:16 15232 -c–a-w- c:\windows\system32\dllcache\streamip.sys
2010-09-09 15:56 . 2001-08-18 02:36 155648 -c–a-w- c:\windows\system32\dllcache\stlnprop.dll
2010-09-09 15:56 . 2001-08-18 02:36 53248 -c–a-w- c:\windows\system32\dllcache\stlncoin.dll
2010-09-09 15:56 . 2001-08-17 16:18 285760 -c–a-w- c:\windows\system32\dllcache\stlnata.sys
2010-09-09 15:56 . 2001-08-17 17:51 16896 -c–a-w- c:\windows\system32\dllcache\stcusb.sys
2010-09-09 15:55 . 2001-08-17 16:11 48736 -c–a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-09-09 15:55 . 2001-08-18 02:36 99328 -c–a-w- c:\windows\system32\dllcache\srusd.dll
2010-09-09 15:55 . 2004-08-04 12:00 101376 -c–a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-09-09 15:55 . 2001-08-18 02:36 24660 -c–a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-09-09 15:55 . 2001-08-17 17:51 61824 -c–a-w- c:\windows\system32\dllcache\speed.sys
2010-09-09 15:55 . 2001-08-18 02:36 106584 -c–a-w- c:\windows\system32\dllcache\spdports.dll
2010-09-09 15:55 . 2001-08-17 18:07 19072 -c–a-w- c:\windows\system32\dllcache\sparrow.sys
2010-09-09 15:54 . 2001-08-17 17:56 7552 -c–a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-09-09 15:54 . 2001-08-17 16:51 37040 -c–a-w- c:\windows\system32\dllcache\sonypi.sys
2010-09-09 15:54 . 2001-08-18 02:36 114688 -c–a-w- c:\windows\system32\dllcache\sonypi.dll
2010-09-09 15:54 . 2001-08-17 16:51 20752 -c–a-w- c:\windows\system32\dllcache\sonync.sys
2010-09-09 15:54 . 2001-08-17 17:53 9600 -c–a-w- c:\windows\system32\dllcache\sonymc.sys
2010-09-09 15:54 . 2008-04-14 04:10 7552 -c–a-w- c:\windows\system32\dllcache\sonyait.sys
2010-09-09 15:54 . 2004-08-04 12:00 143422 -c–a-w- c:\windows\system32\dllcache\softkey.dll
2010-09-09 15:54 . 2001-08-17 17:53 7040 -c–a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-09-09 15:54 . 2001-08-18 02:36 7168 -c–a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 17:33 . 2006-11-22 21:20 -------- d-----w- c:\program files\CallWave
2010-09-23 13:31 . 2006-10-12 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-18 04:38 . 2007-09-11 10:48 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-09-18 04:11 . 2007-09-11 10:26 -------- d-----w- c:\documents and settings\Dude\Application Data\Media Player Classic
2010-09-18 03:44 . 2008-09-10 20:56 -------- d-----w- c:\program files\Opera
2010-09-18 01:59 . 2010-02-26 15:44 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-15 00:38 . 2010-05-18 17:05 1 ----a-w- c:\documents and settings\Dude\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-13 23:08 . 2009-07-16 20:21 90 ----a-w- c:\windows\popcinfo.dat
2010-09-09 17:06 . 2007-08-26 21:03 -------- d-----w- c:\documents and settings\Dude\Application Data\DivX
2010-09-07 17:41 . 2007-09-23 20:17 -------- d-----w- c:\program files\Net Tools
2010-09-07 17:41 . 2006-10-13 00:03 -------- d-----w- c:\program files\BibleCD
2010-09-07 17:41 . 2006-10-12 23:31 -------- d-----w- c:\program files\e-Sword
2010-09-07 17:41 . 2006-10-12 23:08 -------- d-----w- c:\program files\123 Free Solitaire
2010-09-07 16:34 . 2010-03-23 14:58 -------- d-----w- c:\program files\CCleaner
2010-09-07 15:35 . 2009-10-25 15:30 -------- d-----w- c:\program files\VS Revo Group
2010-09-07 14:44 . 2006-12-11 00:27 -------- d-----w- c:\program files\FileZilla
2010-09-01 03:06 . 2008-10-24 18:17 -------- d-----w- c:\program files\Common Files\Ahead
2010-09-01 02:53 . 2007-08-26 20:58 -------- d—a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-01 02:28 . 2008-10-24 18:17 -------- d-----w- c:\program files\Ahead
2010-08-23 20:06 . 2010-08-23 20:02 -------- d-----w- c:\program files\Moraff’s Maximum MahJongg, Volume 3
2010-08-09 11:50 . 2006-10-15 00:59 -------- d-----w- c:\program files\IrfanView
2010-08-06 14:00 . 2010-08-06 14:00 -------- d-----w- c:\documents and settings\TJ\Application Data\ArcSoft
2010-08-06 13:46 . 2006-11-22 18:46 238088 -c–a-w- c:\documents and settings\TJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-06 04:48 . 2009-08-15 21:07 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-08-06 03:11 . 2010-08-06 03:11 8854 ----a-r- c:\documents and settings\Dude\Application Data\Microsoft\Installer{567885A3-D921-443F-9704-9964D1D8EE33}\ARPPRODUCTICON.exe
2010-08-06 03:11 . 2010-03-08 05:12 -------- d-----w- c:\program files\Pocket e-Sword
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“COMODO Internet Security”=“c:\program files\COMODO\COMODO Internet Security\cfp.exe” [2010-09-11 2500552]

c:\documents and settings\All Users\Start Menu\Programs\Startup
CallWave.lnk - c:\program files\CallWave\IAM.exe [2006-11-22 1590352]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-10-23 42168]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
[at]=“”

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=
backup=c:\windows\pss\Wallpaper Changer.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Dude^Start Menu^Programs^Startup^Thomas Kinkade Screen Saver.lnk]
path=
backup=c:\windows\pss\Thomas Kinkade Screen Saver.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\progra~1\MICROS~4\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 19:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2007-04-11 19:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-16 01:25 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-16 01:25 28739 -c–a-w- c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 18:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-07-28 19:19 4841472 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-07-28 19:19 323584 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-16 01:25 24576 -c–a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“mnmsrvc”=3 (0x3)
“NBService”=3 (0x3)
“WMPNetworkSvc”=3 (0x3)
“rpcapd”=3 (0x3)
“NMIndexingService”=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” /background
“swg”=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“NeroFilterCheck”=c:\windows\system32\NeroCheck.exe
“Share-to-Web Namespace Daemon”=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\Opera\opera.exe”=
“c:\Program Files\Java\jre6\bin\java.exe”=
“c:\WINDOWS\system32\fxsclnt.exe”=
“c:\program files\Microsoft ActiveSync\rapimgr.exe”= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
“c:\program files\Microsoft ActiveSync\wcescomm.exe”= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
“c:\program files\Microsoft ActiveSync\WCESMgr.exe”= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
“c:\Program Files\CallWave\IAM.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“26675:TCP”= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [9/10/2010 11:40 PM 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 25240]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [10/12/2006 6:04 PM 3680]
S3 zlportio;ZLPORTIO - Allow user access to I/O ports;??\d:\programs\DriverWizard\zlportio.sys → d:\programs\DriverWizard\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.softpedia.com
mSearch Bar = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
TCP: {D3773A27-754E-4F19-B1C1-8B1CC1A20417} = 156.154.70.22,156.154.71.22
TCP: {E196FF94-66AF-4E24-A588-933BD51F7E4F} = 208.67.222.222 208.67.220.220
Handler: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - c:\program files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
FF - ProfilePath - c:\documents and settings\TJ\Application Data\Mozilla\Firefox\Profiles\zwc7dr6u.default
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Scroogle
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\TJ\Application Data\Mozilla\Firefox\Profiles\zwc7dr6u.default\extensions{ca8b7b3d-b6e6-438f-b935-601b3de48d66}\platform\WINNT_x86-msvc\components\FFThrottle.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.امارات”, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.السعودية”, true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“dom.ipc.plugins.enabled”, false);
.
.
------- File Associations -------
.
txtfile=“c:\program files\JGsoft\EditPadLite\EditPadLite.exe” “%1”
.

        • ORPHANS REMOVED - - - -

MSConfigStartUp-DXM6Patch_981116 - c:\windows\p_981116.exe
MSConfigStartUp-OpwareSE2 - c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
AddRemove-MoraffMahJongg3_is1 - c:\program files\Moraff’s Maximum MahJongg


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 14:35
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


.
--------------------- DLLs Loaded Under Running Processes ---------------------

              • ‘lsass.exe’(620)
                c:\windows\system32\guard32.dll
                .
                Completion time: 2010-09-23 14:40:46
                ComboFix-quarantined-files.txt 2010-09-23 18:40

Pre-Run: 9,370,255,360 bytes free
Post-Run: 9,360,515,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
UnsupportedDebug=“do not select this” /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect

    • End Of File - - 4A6D4387CD3957333242971A0E456588

Problem still persists. :o
Any ideas? :-\

Still no luck stoping it, but ran a few more goodies. :stuck_out_tongue:

"Silent Runners.vbs", revision 61, http://www.silentrunners.org/ Operating System: Windows XP SP3 Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“H/PC Connection Agent” = ““C:\PROGRA~1\MICROS~4\wcescomm.exe”” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“COMODO Internet Security” = ““C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h” [“COMODO”]
“HitmanPro35” = ““C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe” /scan:boot” [“SurfRight B.V.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
→ {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
→ {HKLM…CLSID} = “Spybot-S&D IE Protection”
\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{AE7CD045-E861-484f-8273-0445EE161910}(Default) = (no title provided)
→ {HKLM…CLSID} = “AcroIEToolbarHelper Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll” [null data]

{DBC80044-A445-435b-BC74-9C25C1C588A9}(Default) = (no title provided)
→ {HKLM…CLSID} = “Java™ Plug-In 2 SSV Helper”
\InProcServer32(Default) = “C:\Program Files\Java\jre6\bin\jp2ssv.dll” [“Sun Microsystems, Inc.”]

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}(Default) = “JQSIEStartDetectorImpl”
→ {HKLM…CLSID} = “JQSIEStartDetectorImpl Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll” [“Sun Microsystems, Inc.”]

{FFFFFEF0-5B30-21D4-945D-000000000000}(Default) = (no title provided)
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\PROGRA~1\STARDO~1\SDIEInt.dll” [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext”
→ {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
→ {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}” = “Logitech Setpoint Extension”
→ {HKLM…CLSID} = “KbLogiExt Class”
\InProcServer32(Default) = “C:\Program Files\Logitech\SetPoint\kbcplext.dll” [“Logitech Inc.”]

“{B9B9F083-2B04-452A-8691-83694AC1037B}” = “Logitech Setpoint Extension”
→ {HKLM…CLSID} = “LogiExt Class”
\InProcServer32(Default) = “C:\Program Files\Logitech\SetPoint\mcplext.dll” [“Logitech Inc.”]

“{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}” = “IZArc DragDrop Menu”
→ {HKLM…CLSID} = “IZArc DragDrop Menu”
\InProcServer32(Default) = “C:\PROGRA~1\IZArc\IZArcCM.dll” [null data]

“{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” = “IZArc Shell Context Menu”
→ {HKLM…CLSID} = “IZArc Shell Context Menu”
\InProcServer32(Default) = “C:\PROGRA~1\IZArc\IZArcCM.dll” [null data]

“{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” = “Adobe.Acrobat.ContextMenu”
→ {HKLM…CLSID} = “Acrobat Elements Context Menu”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”]

“{BC593DF5-466F-44EC-8FFD-C4DBC603B917}” = “IZArc Shell Context Menu”
→ {HKLM…CLSID} = “IZArc Shell Context Menu”
\InProcServer32(Default) = “C:\PROGRA~1\IZArc\IZArcCM.dll” [null data]

“{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll”” [“OpenOffice.org”]

“{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll”” [“OpenOffice.org”]

“{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll”” [“OpenOffice.org”]

“{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll”” [“OpenOffice.org”]

“{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device”
→ {HKLM…CLSID} = “Mobile Device”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~4\Wcesview.dll” [MS]

“{4255A182-CAD9-4214-A19B-7BA7FB633BBD}” = “Comodo Antivirus”
→ {HKLM…CLSID} = “Comodo AntiVirus”
\InProcServer32(Default) = “C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll” [“COMODO”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
→ {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> msell2\CLSID = “{9367D24B-8506-471A-915A-CFBB4BCEB631}”
→ {HKLM…CLSID} = “MSFT RefBU IE4+ Pluggable Protocol”
\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll” [MS]

HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu(Default) = “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}”
→ {HKLM…CLSID} = “Acrobat Elements Context Menu”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”]

Comodo Antivirus(Default) = “{4255A182-CAD9-4214-A19B-7BA7FB633BBD}”
→ {HKLM…CLSID} = “Comodo AntiVirus”
\InProcServer32(Default) = “C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll” [“COMODO”]

IZArcCM(Default) = “{BC593DF5-466F-44EC-8FFD-C4DBC603B917}”
→ {HKLM…CLSID} = “IZArc Shell Context Menu”
\InProcServer32(Default) = “C:\PROGRA~1\IZArc\IZArcCM.dll” [null data]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}(Default) = (no title provided)
→ {HKLM…CLSID} = “NBShellHook Class”
\InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll” [“Nero AG”]

HKLM\SOFTWARE\Classes*\shellex\DragDropHandlers\

NBShellHook(Default) = “{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}”
→ {HKLM…CLSID} = “NBShellHook Class”
\InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll” [“Nero AG”]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

IZArcCM(Default) = “{BC593DF5-466F-44EC-8FFD-C4DBC603B917}”
→ {HKLM…CLSID} = “IZArc Shell Context Menu”
\InProcServer32(Default) = “C:\PROGRA~1\IZArc\IZArcCM.dll” [null data]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

IZArcCM(Default) = “{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}”
→ {HKLM…CLSID} = “IZArc DragDrop Menu”
\InProcServer32(Default) = “C:\PROGRA~1\IZArc\IZArcCM.dll” [null data]

WinZip(Default) = “{E0D79305-84BE-11CE-9641-444553540000}”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll”” [“OpenOffice.org”]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

Comodo Antivirus(Default) = “{4255A182-CAD9-4214-A19B-7BA7FB633BBD}”
→ {HKLM…CLSID} = “Comodo AntiVirus”
\InProcServer32(Default) = “C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll” [“COMODO”]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}(Default) = (no title provided)
→ {HKLM…CLSID} = “NBShellHook Class”
\InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll” [“Nero AG”]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

IZArcCM(Default) = “{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}”
→ {HKLM…CLSID} = “IZArc DragDrop Menu”
\InProcServer32(Default) = “C:\PROGRA~1\IZArc\IZArcCM.dll” [null data]

NBShellHook(Default) = “{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}”
→ {HKLM…CLSID} = “NBShellHook Class”
\InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll” [“Nero AG”]

WinZip(Default) = “{E0D79305-84BE-11CE-9641-444553540000}”
→ {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

Default executables:

<<!>> HKLM\SOFTWARE\Classes.com(Default) = “ComFile”

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoDrives” = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoRemoteRecursiveEvents” = (REG_DWORD) dword:0x00000001
{unrecognized setting}

“NoDrives” = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

“DisableRegistryTools” = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop
“Wallpaper” = “C:\Documents and Settings\TJ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp”

Windows Portable Device AutoPlay Handlers

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ImgBurnBluRayBurningOnArrival_BuildImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleBluRayBurningOnArrival_BuildImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BuildImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE BUILD /OUTPUTMODE DEVICE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnBluRayBurningOnArrival_BurnImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleBluRayBurningOnArrival_BurnImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BurnImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE WRITE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnCDBurningOnArrival_BuildImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleCDBurningOnArrival_BuildImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE BUILD /OUTPUTMODE DEVICE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnCDBurningOnArrival_BurnImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleCDBurningOnArrival_BurnImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE WRITE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnDVDBurningOnArrival_BuildImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleDVDBurningOnArrival_BuildImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE BUILD /OUTPUTMODE DEVICE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnDVDBurningOnArrival_BurnImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleDVDBurningOnArrival_BurnImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE WRITE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnHDDVDBurningOnArrival_BuildImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleHDDVDBurningOnArrival_BuildImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BuildImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE BUILD /OUTPUTMODE DEVICE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnHDDVDBurningOnArrival_BurnImage
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “HandleHDDVDBurningOnArrival_BurnImage”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BurnImage\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE WRITE /DEST “%1"” [“LIGHTNING UK!”]

ImgBurnPlayBluRayOnArrival_ReadDisc
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “PlayBluRayOnArrival_ReadDisc”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayBluRayOnArrival_ReadDisc\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE READ /SRC “%1"” [“LIGHTNING UK!”]

ImgBurnPlayCDAudioOnArrival_ReadDisc
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “PlayCDAudioOnArrival_ReadDisc”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayCDAudioOnArrival_ReadDisc\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE READ /SRC “%1"” [“LIGHTNING UK!”]

ImgBurnPlayDVDMovieOnArrival_ReadDisc
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “PlayDVDMovieOnArrival_ReadDisc”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayDVDMovieOnArrival_ReadDisc\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE READ /SRC “%1"” [“LIGHTNING UK!”]

ImgBurnPlayHDDVDOnArrival_ReadDisc
“Provider” = “ImgBurn”
“InvokeProgID” = “ImgBurn.AutoPlay.1”
“InvokeVerb” = “PlayHDDVDOnArrival_ReadDisc”
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayHDDVDOnArrival_ReadDisc\command(Default) = "“C:\Program Files\ImgBurn\ImgBurn.exe” /MODE READ /SRC “%1"” [“LIGHTNING UK!”]

MPCPlayCDAudioOnArrival
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayCDAudio”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe” %1 /cd” [“MPC-HC Team”]

MPCPlayDVDMovieOnArrival
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayDVDMovie”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe” %1 /dvd” [“MPC-HC Team”]

MPCPlayMusicFilesOnArrival
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayMusicFiles”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe” %1” [“MPC-HC Team”]

MPCPlayVideoFilesOnArrival
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayVideoFiles”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe” %1” [“MPC-HC Team”]

MSWPDShellNamespaceHandler
“Provider” = “@%SystemRoot%\System32\WPDShextRes.dll,-501”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = " "
→ {HKLM…CLSID} = “WPDShextAutoplay”
\LocalServer32(Default) = “C:\WINDOWS\system32\WPDShextAutoplay.exe” [MS]

Startup items in “TJ” & “All Users” startup folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
“CallWave” → shortcut to: “C:\Program Files\CallWave\IAM.exe -start” [“CallWave, Inc.”]
“WordWeb” → shortcut to: “C:\Program Files\WordWeb\wweb32.exe” [“Antony Lewis”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
“{47833539-D0C5-4125-9FA8-0819E2EAAC93}” = (no title provided)
→ {HKLM…CLSID} = “Adobe PDF”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll” [null data]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID{182EC0BE-5110-49C8-A062-BEB1D02A220B}(Default) = “Adobe PDF”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll” [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
“ButtonText” = “Create Mobile Favorite”
“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”
→ {HKLM…CLSID} = “Create Mobile Favorite”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~4\INetRepl.dll” [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
“MenuText” = “Create Mobile Favorite…”
“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”
→ {HKLM…CLSID} = “Create Mobile Favorite”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~4\INetRepl.dll” [MS]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
“MenuText” = “Spybot - Search & Destroy Configuration”
“CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}”
→ {HKLM…CLSID} = “Spybot-S&D IE Protection”
\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{E2E2DD38-D088-4134-82B7-F2BA38496583}
“MenuText” = “@xpsp3res.dll,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]

Miscellaneous IE Hijack Points

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
<> “PhishingSite” = “res://nctb.dll/phishingsite.htm” [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):

COMODO Internet Security Helper Service, cmdAgent, ““C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe”” [“COMODO”]

Safe Mode Drivers & Services (subkey name, subkey default value):

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

<<!>> WdfLoadGroup, (title not found)

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> WdfLoadGroup, (title not found)

Print Monitors:

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
Adobe PDF Port\Driver = “C:\WINDOWS\system32\AdobePDF.dll” [“Adobe Systems Incorporated.”]
Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS]

---------- (launch time: 2010-09-23 19:45:32)
<<!>>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.
  • To see everywhere the script checks and everything it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
  • To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer “No” at the
    first message box and “Yes” at the second message box.
    ---------- (total run time: 202 seconds, including 21 seconds for message boxes)

Comodo blocked an attempt from 71.200.96.154 to connect to lsass.exe on port 500. (Trusted source says it’s high risk)

Ran RootkitRevealer…

HKU\S-1-5-21-515967899-329068152-1177238915-1007\Console 9/23/2010 2:40 PM 0 bytes Security mismatch. HKLM\SECURITY\Policy\Secrets\SAC* 10/12/2006 5:52 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 10/12/2006 5:52 PM 0 bytes Key name contains embedded nulls (*)

Ran HitmanPro

- - - - -

Hmm… now what ???

try going to control panel → admin tools → Task Scheduler See if anything there is listed to start up during boot.

Nothing listed. Even if there was it should have showed up on SilentRunners.

I found this nice article from Microsoft: http://support.microsoft.com/kb/152220
Decided to run “rasautou -s”, turns out there was not only one but 95 entries! I went ahead and deleted those entries from registry, they seemed to be related to anything that had ever been on the computer from their favorites lists to random dns servers including Comodo’s…

I’m still not sure we’re out in the clean yet, but for the time being the auto-dialer has temporarily stopped. Time will tell.

Update! The bot/dialer has returned! Ok now I’m officially confused, this thing comes and goes nearly without a trace. ???

use a bootable cd to scan computer, it might be hiding somewhere that is impossible to get to while the computer is running. I recommend downloading kaspersky disk 10 http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable and do.web live cd http://www.freedrweb.com/livecd/?lng=en , do a full scan with both, note you will need a wired connection to be able to update.

Hmm, I’ve tried Dr. Web LiveCD before, not Kaspersky’s. Thanks for the tip, though I’ll have to leave this 56k dead zone to download the ISOs…

Have you scanned with Malwarebytes and SuperAntiSpyware already?

Hi Gaming4JC ,

Comodo V4/v5 will not protect you from real malware - that is a myth

(including the fact that its AV has a prettry low level of detection & very high level of FPs and that the sandbox is basically neither a sandbox nor a visualization at all)

Well, basically there is no such thing as 100% protection, no matter what security you are using

At the same time that is a very sad that users of this security forum will run such Tools as ComboFix without a supervision of the professional

That can make more damage than any malware itself

And that is going on and on here… similar to posting HijackThis reports and thinking that it is a some kinda malware removal Tool

Sad story indeed

Cheers!

@Languy99: I’ve ran Kaspersky’s latest Live CD. Didn’t catch much. I might do Dr. Web in a bit, but I thought that it also powered hitmanpro?

@Chiron: I’ve scanned with Malwarebytes, I keep that on hand regularly. Didn’t catch anything. I’ve not tried SuperAntiSpyware yet. I guess I can give it a shot.

@SiberLynx: Heh… pwnage. (:SAD)

can you please post me a hijackthis report for me to look at.

Sorry SiberLynx, but i cant see anywhere that anyone on this forum asked the OP to run Combofix, can you? It looks to me like he ran Combofix, wireshark and other goodies` off his own bat!

That may all be true but it is not helping topic starter with his topic. Please refrain from posting off topic comments.

You can try this: http://www.emsisoft.com/en/software/antidialer/

Hi Matty_R,

Thank you for the reply
… and that is not what I said re: ComboFix - what I posted was a simple precaution

As for the Hijack flavours - you will definitely find many requests here in the forum for posting the report for no apparent reason.

Cheers!

==============

Thank you Eric

It depends…

Most likely the original poster and any other user who is reading the thread

  • will not run the said Tool without the supervision of an expert in the future;
  • will read carefully what is written here/in professional malware removal forums, and most importantly in the ComboFix documentation in the 1st place;
  • running it blindly can damage your system beyond repair way before you can get any help

From this perspective the post & the precaution can rather be considered as being helpful and definitely not being Offtopic

You, as a moderator may think about adding a special clause about the matter in the respective thread here in Comodo forum
… rather than bullying and pricking me again and again for no apparent reason as you do staring from the release of v4

Thank you again , Eric

It seems to me that every & any new post of yours addressed to me from some point
will contain this line

I have it (the above expression) engraved already
So please refrain from posting “please refrain from” every time

Thanks once more, Eric

Went ahead and ran SuperAntiSpy, it caught Trojan.Gen.Kryptic? (typo?) in C:\ASR3232… but the computer is still dialing by itself. More interestingly Comodo seems to be related, or at least it’s using it as a decoy. Either that or the OS is corrupt. Whenever “any” application checks for an internet connection it immediately dials that request. I was quite surprised to find 25 outbound connections from cmdagent.exe. Upon closer investigation, I found that it was not the updates which I had turned off, but rather “Perform cloud based analysis…” and “automatically scan unrecognized files in the cloud”. Why on earth would comodo lookup all the running applications without the users consent? I’ve got a hefty .pcap file for anyone interested in seeing whatever it was that it was sending out to a remote port 4447 and 4448.

Here’s the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:35:11 PM, on 9/25/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\WordWeb\wweb32.exe
C:\DOCUME~1\TJ\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir Desktop\avgnt.exe” /min
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\PROGRA~1\MICROS~4\wcescomm.exe”
O4 - HKCU..\Run: [DialerShield] “C:\Program Files\DialerShield\DialerShield_free.exe” startup
O4 - Global Startup: CallWave.lnk
O4 - Global Startup: WordWeb.lnk
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188426128703
O17 - HKLM\System\CCS\Services\Tcpip..{D3773A27-754E-4F19-B1C1-8B1CC1A20417}: NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe


End of file - 5185 bytes

The DialerSheild is a free program to block dialers. It seems legit, but it only pops up after the dialer has appeared, alerts you some one is attempting to dial, and then closes it. Multiply this several hundred times an hour and I think you’ll find it is rather useless in stopping it permanently. :-/

Hi Gaming4JC ,

  1. in your 1st post you said that the users uninstalled Avira, but the entries are still there it the system
    e.g. O4 - Enumeration of suspicious autoloading Registry entries:
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O23 - Enumeration of NT Services:

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

So basically either Avira was not uninstalled or was not properly uninstalled and you have leftovers (that could be an issue by its own).

  1. If you are using full CIS Suite with it’s AV - you should take care of the above because 2 active AVs can create clashes & system conflicts
    You should have one and only one AV with active real-time resident
    The other one can be left as on-demand scanner only.
    That is irrespectively

  2. What is known and closer to the Topic - Avira was flagging DialerSheild in the past and it was an FP

  3. What hardware is used for the connection?
    If that is say ADSL or alike but not dial-up - you do not need any Anti-Dialers being installed anyway

Therefore have you tried just simply uninstall the thing in the 1st place in case you are not using “dial-up”?

  1. that you can be more specific in description about "computer is still dialing by itself"and how it is connected to DialerSheild , which supposedly should prevent that (when dial-up is used)
    Any info that you can provide from Comodo logs regarding that?

The name of the alleged infection does not provide any information
In addition you did not provide even the full file name, which is unacceptable
In any case if you ran SuperAntiSpy & it flagged something
In addition the “typo?” ??? question is not appropriate - never type! Please copy/paste from the report.

a) it many not relate to your current problem;
b) you have to submit the file to the vendor’ developers ( SuperAntiSpy in this case) in order to get the analysis result

My regards

1 & 2) I agree the thing did not uninstall correctly. As an update, I’ve also uninstalled Comodo, which also failed to uninstall correctly (seems odd all the security software is non-responsive). I ran revo-uninstaller and it helped fix things up. Then I re-installed Comodo Firewall specifically, leaving A/V off. Followed by Avira, latest version.

  1. DialerSheild isn’t the problem, never got any FP out of it either. It helped a little…
    By this I mean it simply alerts you that it’s dialing, but does not prevent it from happening until it’s nearly connected. I’ve uninstalled it now.

  2. The computer is running a standard PCI 56k modem.

  3. Dialing by itself. Meaning it is as if some one initiates the dialer entirely without the persons consent. No logs are present since comodo seems to not have a problem with Windows applications.

  4. Sorry, I typed the last post on the fly. The detections were as follows:
    SuperAntiSpy: Trojan.Agent/Gen-Krpytik -C:\ASR3232\BIN\US\ASRTST32.DLL
    Newly Installed Avira AntiVer Personal:
    Type: File
    Source: C:\Documents and Settings\TJ\Local Settings\Application Data\Mozilla\Firefox\Profiles\zwc7dr6u.default\Cache\147FDC47d01
    Status: Infected
    Quarantine object: 4e961c85.qua
    Restored: NO
    Uploaded to Avira: NO
    Operating System: Windows 2000/XP/VISTA Workstation
    Search engine: 8.02.01.210
    Virus definition file: 7.10.06.62
    Detection: Contains HEUR/HTML.Malware suspicious code
    Date/Time: 9/25/2010, 23:27


I find this rather odd since I’ve already ran CCleaner which would have presumably gotten rid of cache. It happened when I went to google.com

I also found why it was auto-dialing, though I think this keeps getting reset.
From network connections:
Advanced >> Dial-up Settings…>>Uncheck Enable Auto-dial by location, Check always ask me, and check Disable Auto-dial while I am logged in.

For now this has resolved the issue, but I still don’t feel that we’re out of hot water yet.

Here’s a newer Hijack This Log, with MD5 hashcheck enabled:

Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:38:16 AM, on 9/26/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\DOCUME~1\Dude\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.softpedia.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = “C:\Program Files\Outlook Express\msimn.exe” //eml:E:\tumb_drive\7-06 backup\Mail\Devotional - Good Deeds Glorify God.eml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Softpedia
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (filesize 50376 bytes, MD5 0C0E1B2BCAED8DF401BE94D538BCB412)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (filesize 147456 bytes, MD5 44BCFF08947790E74BD7CC7532D2B793)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 1B9245C09E475DC5AA522CAE5809E659)
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 79648 bytes, MD5 825E8AEDE0F61C3B170A3F15E2461573)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll (filesize 135680 bytes, MD5 56B1216E54C4832BFAF63CC96E98A522)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (filesize 147456 bytes, MD5 44BCFF08947790E74BD7CC7532D2B793)
O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir Desktop\avgnt.exe” /min (filesize 282792 bytes, MD5 CF4A0E2C240501C826977ACC5F0E8411)
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h (filesize 2500552 bytes, MD5 6E1378AF90EEC031E755A7DA537F340D)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe (filesize 1590352 bytes, MD5 1EA059EA96C93CDAF339226A09E681AD)
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (filesize 42168 bytes, MD5 430C23985F52F458895B3875BCA5C4B8)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm (filesize 979 bytes, MD5 4CC3255B21BA94CC89E993C9B2DB05EA)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll (filesize 158504 bytes, MD5 F24D3D66C7E3F29485B14BEED91BE9E8)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll (filesize 158504 bytes, MD5 F24D3D66C7E3F29485B14BEED91BE9E8)
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll (filesize 158504 bytes, MD5 F24D3D66C7E3F29485B14BEED91BE9E8)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188426128703
O17 - HKLM\System\CCS\Services\Tcpip..{D3773A27-754E-4F19-B1C1-8B1CC1A20417}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip..{E196FF94-66AF-4E24-A588-933BD51F7E4F}: NameServer = 208.67.222.222 208.67.220.220
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll (filesize 122936 bytes, MD5 856A38DEE756E828C8D5D0C89F56D804)
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll (filesize 1025024 bytes, MD5 E392E172687BE172F8600C5F41AB03D9)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll (filesize 1025024 bytes, MD5 E392E172687BE172F8600C5F41AB03D9)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exeC:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe


End of file - 7498 bytes

Hi again, Gaming4JC

Thank you for the reply

Since you fixed the problem with Avira (as far as I understand) by properly uninstalling it and installing the latest version, which is much better choice compare to Comodo’s AV,

There are few things to point out:

  1. you most likely do not need the DialerSheild
    therefore what about a question asked above : “have you tried to uninstall it?” ;

  2. if you are on dial-up (thanks for confirming again) you would rather be better off with Anti-Dialer as bcman suggested above;

  3. As for the #6

No need to apologies.
We do things “ on the fly” sometimes :slight_smile:
As the Russian proverb says… I will try to translate the Russian proverb as close as possible:
“Being in a hurry is necessary only when trying to catch fleas” :smiley:
So, concerning ASRTST32.DLL flagged by SAS – please do as suggested – submit
The submission procedure is pretty much similar (if not the same) re: any vendor;

If you still have questions and not sure
In order to get out from the “hot water” / swamp / “Muddy Waters” I’m not talking about the one of the greatest musicians ever ;D
As it was pointed above and many times over & over the HiJack(XXX) is not a malware removal Tool by any means! It cannot be used by its own to find & eliminate something serious except BHOs .That is the main purpose of it… not much than that! It can show some signs of malware presense though, but not much than that;

  1. Please read the following thread;
    visit the site & follow the instructions given here for Naren .
    Please pay attention to my last post addressed to Naren.
    (main point - you will not need to install some required Utilities)

Cheers!

If you don’t like my posts please report them using the "Report to moderator "link or pm another moderator about my behaviour.