Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Svchost.exe Error


  • This topic is locked This topic is locked
12 replies to this topic

#1 Shawn Patrick

Shawn Patrick

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 13 July 2007 - 12:51 AM

I am receiving a svchost.exe error on boot up. I am new tp HJT and to this forum, please accept my apologies for any mistakes. Below is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 2:47:11 AM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07D5AD61-4377-41FF-B95A-A85585D0B577} - C:\Program Files\ComPlus Applications\hokerof43855.dll (file missing)
O2 - BHO: (no name) - {39BE2139-20B6-4E17-91D5-7C2A8827CD54} - C:\Program Files\ComPlus Applications\hokerof58441.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B45FC20D-6906-4E72-AA59-392CC61FDAA9} - C:\WINDOWS\system32\reginix86b.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Terrell Patrick\svchost.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer = 208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.23,69.45.6.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Advertisements

Register to Remove


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 14 July 2007 - 04:22 AM

Hi Shawn Patrick,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Download ComboFix to your desktop
  • Double click combofix.exe and follow the prompts.
  • Note: Do not click ComboFix's window while it's running - it may cause it to stall!
  • When finished, it shall produce a log for you, please post it in your next response.
Once complete, please post the SDFix report, the ComboFix report and a new HijackThis log.
ASAP & UNITE Member

#3 Shawn Patrick

Shawn Patrick

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 14 July 2007 - 08:11 AM

Thanks for your reply, reports are below.

SDFix Report:

SDFix: Version 1.91

Run by Administrator on Sat 07/14/2007 at 09:52 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
runtime

ImagePath:
\??\C:\WINDOWS\System32\drivers\runtime.sys


Killing PID 152 'smss.exe'
Killing PID 228 'winlogon.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\9_exception.nls - Deleted
C:\WINDOWS\system32\alog.txt - Deleted
C:\WINDOWS\system32\drivers\svchost.exe - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\ps.dat - Deleted
C:\WINDOWS\system32\qwesddddd.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted


Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PVSW\\bin\\w3dbsmgr.exe"="C:\\PVSW\\bin\\w3dbsmgr.exe:*:Enabled:Database Service Manager"
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe:*:Enabled:Dreamweaver MX"
"C:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe"="C:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe:*:Enabled:HP Jetdirect Wireless Setup Wizard"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe"="C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe:*:Enabled:Active Virus Shield"
"C:\\Documents and Settings\\Terrell Patrick\\Local Settings\\Temp\\yxpqsb.exe"="C:\\Documents and Settings\\Terrell Patrick\\Local Settings\\Temp\\yxpqsb.exe:*:Disabled:yxpqsb"
"c:\\bsbm.exe"="c:\\bsbm.exe:*:Enabled:Enabled"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Terrell Patrick\My Documents\HomeFeedback.com\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\TerrellPatrick.com\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\TerrellPatrick.com\www\web\admin\email\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\TerrellPatrick.com\www\web\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\TerrellPatrick.com\www\web\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\TerrellPatrick.com\www\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\TerrellPatrick.com\www\web\_notes\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\TerrellPatrick.com\www\_notes\dwSiteColumnsMe.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\Connections\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\database\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\images\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\WA_ValidationToolkit\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\chat\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\chat\bin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\chat\Images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\chat\Scripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\chat\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\EmailMover\Editor\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\EmailMover\Editor\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\EmailMover\EMimages\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\EmailMover\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\feedback\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\images\snap\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\images\snap\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\include\snap\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\member\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\register\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\samples\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetFeedback.com\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\Connections\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\ScriptLibrary\localization\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\Scripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\WA_ValidationToolkit\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\addlisting\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\admentor\bannermedia\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\admentor\docs\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\admentor\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\admin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\image\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\inout\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\kb\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\lang\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\rep\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\user\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\help\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\include\ScriptLibrary\localization\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\include\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\legal\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\member\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\register\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\search\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\support\help\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\support\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\test\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\upload\1000005\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\Connections\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\web\admentor\bannermedia\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\web\admentor\docs\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\web\admentor\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\web\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\web\search\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\web\search\_notes\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GetSold.com_copy\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\Connections\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\WA_ValidationToolkit\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\feedback\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\include\calendar\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\myaccount\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\myshowings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\mystats\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\2GFB.com\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\Connections\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\ScriptLibrary\localization\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\WA_ValidationToolkit\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\agent\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\cate\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\draft\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\images\file_types\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\img\Tree\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\img\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\issue\_fmanage\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\issue\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\issue\_relations\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\main\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\advanced\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\comments\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\contact\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\Designer\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\glossary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\logs\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\POP\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\QucikFAQ\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\security\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\settings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\templates\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\todo\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\upload\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\tool\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\lang\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\admin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\export\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\export_public\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\img\index\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\img\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\panel\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\helpdesk\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\calendar\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\ScriptLibrary\localization\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\addons\imagelibrary\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\addons\imagelibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\docs\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\docs\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\scripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\styles\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg_orig\icons\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg_orig\icons\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg_orig\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg_orig\styles\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\wysiwyg_orig\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\myaccount\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\mybilling\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\mylistings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\myquestions\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\myreports\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\myshowings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\mytemplates\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\register\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\register\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\support\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\Demo.2GetFeedback.com\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\Connections\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\database\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\images\icons\comic-icons-3\Comic Icons 3\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\ScriptLibrary\localization\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\SpryAssets\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\temp\wysiwyg_beta\icons\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\WA_ValidationToolkit\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\aspemailManager\images\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\aspemailManager\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\aspemailManager\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\emails\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\addons\imagelibrary\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\addons\imagelibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\docs\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\docs\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\scripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\wysiwyg\styles\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\members\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\admin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\agent\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\cate\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\draft\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\images\file_types\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\img\Tree\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\img\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\issue\_fmanage\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\issue\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\issue\_relations\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\main\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\advanced\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\comments\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\contact\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\Designer\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\glossary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\logs\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\POP\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\QucikFAQ\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\security\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\settings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\templates\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\todo\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\upload\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\tool\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\lang\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\WYSIWYG\Editor\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\admin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\export\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\export_public\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\img\index\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\img\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\panel\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\helpdesk\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\calendar\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\help\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\main_menu.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\ScriptLibrary\localization\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\addons\imagelibrary\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\addons\imagelibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\docs\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\docs\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\scripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\styles\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg_orig\icons\Thumbs.db
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg_orig\icons\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg_orig\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg_orig\styles\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\wysiwyg_orig\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\myaccount\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\mybilling\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\mylistings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\myquestions\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\myreports\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\myshowings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\mytemplates\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\register\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\register\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\setupwizard\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\SpryAssets\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\support\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\test\detectSIP\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\test\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\My.2GetFeedback.com\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\Bin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\SpryAssets\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\Templates\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\Bin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\agent\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\cate\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\draft\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\images\file_types\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\img\Tree\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\img\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\issue\_fmanage\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\issue\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\issue\_relations\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\main\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\advanced\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\comments\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\contact\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\Designer\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\glossary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\logs\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\POP\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\QucikFAQ\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\security\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\settings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\templates\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\todo\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\upload\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\tool\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\WYSIWYG\Editor\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\WYSIWYG\Editor\lang\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\WYSIWYG\Editor\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\WYSIWYG\Editor\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\admin\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\DB\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\export\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\export_public\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\img\index\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\img\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\panel\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\helpdesk\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\calendar\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\home_tabs.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\main_menu.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\popup\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\top_menu.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\addons\imagelibrary\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\addons\imagelibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\docs\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\docs\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\images\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\popups\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\scripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\styles\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\wysiwyg\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\xml\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\include\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\myaccount\edit_profile.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\myaccount\images_tabs.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\myaccount\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\mylistings\details_tabs.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\mylistings\view_tabs.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\mylistings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\myshowings\details_tabs.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\myshowings\view_tabs.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\myshowings\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\setup\myquestions_tabs.files\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\setup\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\setupwizard\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\Templates\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\en\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\ScriptLibrary\localization\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\ScriptLibrary\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\SpryAssets\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\accordion\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\autosuggest\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\checkboxvalidation\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\collapsiblepanel\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\menubar\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\radiovalidation\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\selectvalidation\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\slidingpanels\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\tabbedpanels\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\textareavalidation\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\widgets\textfieldvalidation\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\web\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\My Documents\WebSites\NEW_My.2GetFeedback.com\_notes\dwsync.xml
C:\Documents and Settings\Terrell Patrick\NetHood\2getsold.com\Desktop.ini
C:\Documents and Settings\Terrell Patrick\NetHood\mycommunityrealtor.com\Desktop.ini
C:\Documents and Settings\Terrell Patrick\Application Data\Microsoft\Word\~WRL0002.tmp

Finished


ComboFix Report:
"Terrell Patrick" - 2007-07-14 10:04:30 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\TERREL~1.\svchost.exe
C:\tempb9
C:\tempb9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\DOWNLO~1.\MyWebEx
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atarm.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atas32.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atasanot.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atasctrl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atasnt40.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atcarmcl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atdl2006.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atjpeg60.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atkbctl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atlchat.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atmemmgr.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atnetext.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atpack.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atres.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\attp.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atwbxui5.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\ieatgpc.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwm.ini
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmcliun.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmie.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmim.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmoi.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmpad.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmproxy.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmres.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmres1.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmtrace.txt
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmupd.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\ratrace.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\raurl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\uilibres.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\wbxcrypt.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\webexmgr.dll
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\reginib_redux.exe
C:\WINDOWS\system32\S0
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\xcvbbnnm.dll


((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


2007-07-14 10:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 10:03 81,920 --a------ C:\WINDOWS\system32\winntify.exe
2007-07-14 09:51 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-13 02:46 <DIR> d-------- C:\HJT
2007-07-13 02:30 <DIR> d-------- C:\Program Files\EMS
2007-07-05 12:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-05 12:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-04 01:36 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-04 01:36 73,624 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-04 01:36 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-07-04 01:36 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-02 23:54 60,928 --a------ C:\bsbm.exe
2007-06-28 22:46 <DIR> d-------- C:\Downloads
2007-06-28 22:46 <DIR> d-------- C:\DOCUME~1\TERREL~1\APPLIC~1\GetRightToGo
2007-06-21 21:13 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-21 08:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cingular
2007-06-19 11:19 <DIR> d-------- C:\Program Files\Advanced DHTML Popup Pro V2
2007-06-19 10:56 <DIR> d-------- C:\Program Files\Advanced DHTML Popup Pro
2007-06-19 00:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-19 00:41 <DIR> d-------- C:\Program Files\Bonjour
2007-06-19 00:34 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-18 16:50 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 15:02:06 -------- d-----w C:\Program Files\WhosOnV3
2007-07-10 16:07:41 5,193 ----a-w C:\WINDOWS\mozver.dat
2007-07-04 05:36:22 -------- d-----w C:\Program Files\Symantec
2007-06-21 13:28:06 -------- d-----w C:\Program Files\Online Services
2007-06-21 12:48:33 -------- d-----w C:\Program Files\Common Files\Pervasive Software Shared
2007-06-21 12:46:40 -------- d-----w C:\Program Files\Maximizer
2007-06-19 15:19:28 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-13 00:34:40 -------- d-----w C:\DOCUME~1\TERREL~1\APPLIC~1\Microsoft Corporation
2007-06-12 23:28:57 -------- d-----w C:\Program Files\Microsoft ASP.NET Web Matrix
2007-06-09 19:23:33 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-06-05 05:39:52 -------- d-----w C:\Program Files\Deluxe Menus
2007-05-20 14:08:10 -------- d-----w C:\Program Files\Icon to Any
2007-02-08 03:58:01 190 ----a-w C:\Program Files\Common Files\psasetup.log


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07D5AD61-4377-41FF-B95A-A85585D0B577}]
C:\Program Files\ComPlus Applications\hokerof43855.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39BE2139-20B6-4E17-91D5-7C2A8827CD54}]
C:\Program Files\ComPlus Applications\hokerof58441.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-12-18 05:18 231160 --a------ C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B45FC20D-6906-4E72-AA59-392CC61FDAA9}]
C:\WINDOWS\system32\reginix86b.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-06-25 02:32 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"NWEReboot"="" []
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-04-26 01:18]

*Newly Created Service* - BITS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 10:06:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-14 10:07:11
C:\ComboFix-quarantined-files.txt ... 2007-07-14 10:07

--- E O F ---


HJT Report:
Logfile of HijackThis v1.99.1
Scan saved at 10:10:24 AM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\Terrell Patrick\svchost.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\winntify.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07D5AD61-4377-41FF-B95A-A85585D0B577} - C:\Program Files\ComPlus Applications\hokerof43855.dll (file missing)
O2 - BHO: (no name) - {39BE2139-20B6-4E17-91D5-7C2A8827CD54} - C:\Program Files\ComPlus Applications\hokerof58441.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B45FC20D-6906-4E72-AA59-392CC61FDAA9} - C:\WINDOWS\system32\reginix86b.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer = 208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.23,69.45.6.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#4 Shawn Patrick

Shawn Patrick

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 14 July 2007 - 08:05 PM

OK, ran the reports and posted the results. I now have a new system tray icon that gives me a warning about possible malware infection. I await your response to help resolve this issue. Thanks, Shawn

#5 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 14 July 2007 - 08:43 PM

Hi Shawn Patrick,

Yes we'll begin removal of the fake alert in this post.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines (if present):

O2 - BHO: (no name) - {07D5AD61-4377-41FF-B95A-A85585D0B577} - C:\Program Files\ComPlus Applications\hokerof43855.dll (file missing)
O2 - BHO: (no name) - {39BE2139-20B6-4E17-91D5-7C2A8827CD54} - C:\Program Files\ComPlus Applications\hokerof58441.dll (file missing)
O2 - BHO: (no name) - {B45FC20D-6906-4E72-AA59-392CC61FDAA9} - C:\WINDOWS\system32\reginix86b.dll (file missing)
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe


Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Next run ComboFix once more:
  • Check that combofix.exe is on your Desktop
  • Then open Notepad: press Start->Run, type notepad and click OK
  • Copy/paste the contents of the below code box into Notepad:
    File::
    C:\Documents and Settings\Terrell Patrick\svchost.exe
    C:\bsbm.exe
  • Save this as CFScript.txt and change the Save as type to All Files and save it to your Desktop.

    Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Note: Do not click ComboFix's window while it's running - it may cause it to stall!

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

IMPORTANT: Do NOT run any other options until you are asked to do so!

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C: ), and launch from there.

Note: process.exe is detected by some antivirus programs as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Further info is available here.

Once complete, please post the new ComboFix log, the Smitfraudfix log and a new HijackThis log.
ASAP & UNITE Member

#6 Shawn Patrick

Shawn Patrick

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 15 July 2007 - 07:35 PM

Thanks for your help. Here are the reports as requested.

HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 9:31:38 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\winntify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer = 208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.23,69.45.6.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



ComboFix Report:

"Terrell Patrick" - 2007-07-15 21:19:03 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Terrell Patrick\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bsbm.exe


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-14 22:16 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-14 10:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 10:03 81,920 --a------ C:\WINDOWS\system32\winntify.exe
2007-07-14 09:51 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-13 02:46 <DIR> d-------- C:\HJT
2007-07-13 02:30 <DIR> d-------- C:\Program Files\EMS
2007-07-05 12:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-05 12:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-04 01:36 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-04 01:36 73,624 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-04 01:36 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-07-04 01:36 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-28 22:46 <DIR> d-------- C:\Downloads
2007-06-28 22:46 <DIR> d-------- C:\DOCUME~1\TERREL~1\APPLIC~1\GetRightToGo
2007-06-21 21:13 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-21 08:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cingular
2007-06-19 11:19 <DIR> d-------- C:\Program Files\Advanced DHTML Popup Pro V2
2007-06-19 10:56 <DIR> d-------- C:\Program Files\Advanced DHTML Popup Pro
2007-06-19 00:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-19 00:41 <DIR> d-------- C:\Program Files\Bonjour
2007-06-19 00:34 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-18 16:50 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 15:02:06 -------- d-----w C:\Program Files\WhosOnV3
2007-07-10 16:07:41 5,193 ----a-w C:\WINDOWS\mozver.dat
2007-07-04 05:36:22 -------- d-----w C:\Program Files\Symantec
2007-06-21 13:28:06 -------- d-----w C:\Program Files\Online Services
2007-06-21 12:48:33 -------- d-----w C:\Program Files\Common Files\Pervasive Software Shared
2007-06-21 12:46:40 -------- d-----w C:\Program Files\Maximizer
2007-06-19 15:19:28 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-13 00:34:40 -------- d-----w C:\DOCUME~1\TERREL~1\APPLIC~1\Microsoft Corporation
2007-06-12 23:28:57 -------- d-----w C:\Program Files\Microsoft ASP.NET Web Matrix
2007-06-09 19:23:33 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-06-05 05:39:52 -------- d-----w C:\Program Files\Deluxe Menus
2007-05-20 14:08:10 -------- d-----w C:\Program Files\Icon to Any
2007-02-08 03:58:01 190 ----a-w C:\Program Files\Common Files\psasetup.log


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-12-18 05:18 231160 --a------ C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-06-25 02:32 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"NWEReboot"="" []
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-04-26 01:18]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 21:24:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-15 21:25:15
C:\ComboFix-quarantined-files.txt ... 2007-07-15 21:25
C:\ComboFix2.txt ... 2007-07-14 10:07

--- E O F ---



SmtFraudFix Report:

SmitFraudFix v2.204

Scan done at 21:28:46.90, Sun 07/15/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\winntify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\winntify.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Terrell Patrick


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Terrell Patrick\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TERREL~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 205.152.37.23
DNS Server Search Order: 69.44.111.2
DNS Server Search Order: 205.152.144.23
DNS Server Search Order: 69.45.6.3

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 24.158.96.130
DNS Server Search Order: 24.158.96.131

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer=208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.2
,69.45.6.3
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DB733470-93EB-4C4C-B434-C3472112B03A}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer=208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.2
,69.45.6.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DB733470-93EB-4C4C-B434-C3472112B03A}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer=208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.2
,69.45.6.3
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DB733470-93EB-4C4C-B434-C3472112B03A}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Thanks,
Shawn

#7 Shawn Patrick

Shawn Patrick

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 15 July 2007 - 08:10 PM

Just as a reminder, I still have this mysterious system tray icon that keeps informing me of a possible malware infection. Any Ideas or is this suppose to be there? Thanks, Shawn

#8 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 15 July 2007 - 11:50 PM

Hi Shawn Patrick,

Yes don't worry the fake alert will hopefully be gone after you complete the instructions in this post:

First, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

Once complete, please post the new Smitfraudfix log and another HijackThis log.
ASAP & UNITE Member

#9 Shawn Patrick

Shawn Patrick

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 16 July 2007 - 08:26 PM

SmtFraudFix Report:

SmitFraudFix v2.204

Scan done at 22:19:06.32, Mon 07/16/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\winntify.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 10:25:12 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer = 208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.23,69.45.6.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Thanks,
Shawn

#10 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 17 July 2007 - 04:35 AM

Hi Shawn Patrick,

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe

Then, open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Change the Save As Type to All Files and save it as fix.reg to your Desktop.

Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Terrell Patrick\\Local Settings\\Temp\\yxpqsb.exe"=-
"c:\\bsbm.exe"=-
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"=-
Locate fix.reg on your Desktop, if you did it right it should look like this:Posted Image
Double-click it, when it asks if you want to merge with the registry, click Yes.

Next, download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Double-click cureit.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and remove the check mark from Heuristic analysis
  • Choose the Actions tab and next to Infected objects select Move, then press OK to close the settings box.
  • Select all hard drives to be scanned by clicking on them - choose all drives - a red dot confirms they will be scanned
  • Click the green arrow on the right to start the scan
  • Click Yes to all if it asks if you want to move a file
  • Click File-> Save report list and save the report to your desktop
  • Close Dr.Web Cureit and reboot your computer (this is important as files may be moved/deleted during reboot)
Once complete, please post the Dr Web CureIt log and a new HijackThis log. Also let me know how your computer is running.
ASAP & UNITE Member

#11 Shawn Patrick

Shawn Patrick

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 18 July 2007 - 09:38 PM

CureI Log:

bsbm.exe.vir;C:\QooBox\Quarantine\C;Trojan.MulDrop.7395;Moved.;
xcvbbnnm.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.PWS.Banker.9470;Moved.;
Process.exe;C:\SDFix\SDFix\apps;Tool.Prockill;;
Process.exe;C:\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\SmitfraudFix;Tool.ShutDown.11;;
A0034246.dll;C:\System Volume Information\_restore{DD2FEA28-55F9-43AC-A0FC-610CA4C20E53}\RP436;Trojan.PWS.Banker.9470;Moved.;
A0034254.dll;C:\System Volume Information\_restore{DD2FEA28-55F9-43AC-A0FC-610CA4C20E53}\RP436;Trojan.PWS.Banker.9470;Moved.;
A0034291.dll;C:\System Volume Information\_restore{DD2FEA28-55F9-43AC-A0FC-610CA4C20E53}\RP436;Trojan.PWS.Banker.9470;Moved.;
A0035431.exe;C:\System Volume Information\_restore{DD2FEA28-55F9-43AC-A0FC-610CA4C20E53}\RP438;Trojan.MulDrop.7395;Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;


HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:54 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6845694A-DA34-4FD0-A051-7B6F727113A3}: NameServer = 208.67.222.222,208.67.220.220,205.152.37.23,69.44.111.2,205.152.144.23,69.45.6.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Computer is running better but I am currently with the family on vacation. So I am not using the computer as normal as I do back home (14+ hours a day), so it's hard to tell right now. So far so good. Your hard work is greatly appreciated.

Thanks,
Shawn

#12 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 18 July 2007 - 10:07 PM

Hi Shawn Patrick,

The logs look good so I think your machine is clean :)
If now or on return from holiday you still have concerns or symptoms please let us know and we'll reopen the thread and do further checks.

Please clean up the tools we've used:

You can now delete these files/folders from your Desktop:
ComboFix.exe, cureit.exe, Fix.reg, SDFix.exe, SmitfraudFix.exe and the SmitfraudFix desktop folder

You can also delete these folders:
C:\QooBox
C:\Documents and Settings\username\DoctorWeb\Quarantine
C:\SDFix
C:\SmitfraudFix

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Here are some tips to help you keep your computer clean:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule
Also, check that your antivirus and antispyware programs are set to automatically update daily.

You now have AVG Antispyware installed which is an excellent program, however it's real-time protection functionality is not free. I recommend you consider purchasing the full version of the program, but if you choose not to, you should install another antispyware program with real-time protection - there are several free programs available with this capability, one I can recommend is Windows Defender, available here:
http://www.microsoft...re/default.mspx

You should consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you use firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, such as Sunbelt Personal Firewall and Zone Alarm:
http://www.sunbelt-s...sonal-Firewall/
http://www.zonelabs.com/

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Find out more about how to prevent infection in the future
http://forum.malware...pic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
ASAP & UNITE Member

#13 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 26 July 2007 - 09:20 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
ASAP & UNITE Member

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users