Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Sprycrusher is just the symptom


  • This topic is locked This topic is locked
19 replies to this topic

#1 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 14 April 2008 - 02:29 PM

:smack: The computer I'm working on is trying to get us to download Spycrusher. It's just the symptom of the computer having been run with outdated McAfee definitions and no anti-spyware. I ran ATF cleaner, Hijack This and then Smitfraud Fix. Smitfraudfix indicates a DNS hijack among other problems. Please help. The computer has Windows XP SP2. I don't know if updates have been downloaded and installed because I'm not letting this baby get on line. Thank you!- Jcatsmom

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:50 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SSMARQUE.SCR
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SpyCrush 3.3] "C:\Program Files\SC\SpyCrush 3.3\SpyCrush 3.3.exe" /h
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) -
http://www112.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137
O17 - HKLM\System\CS1\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137
O22 - SharedTaskScheduler: crawley - {8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab} - C:\WINDOWS\system32\igpfced.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


--
End of file - 9760 bytes




SmitFraudFix v2.312


Scan done at 21:45:30.54, Sun 04/13/2008
Run from C:\Documents and Settings\Leah Talley\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SSMARQUE.SCR
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ hosts


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\Web


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system32


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system32\LogFiles


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Documents and Settings\Leah Talley


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Documents and Settings\Leah Talley\Application Data


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\DOCUME~1\LEAHTA~1\FAVORI~1


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Program Files

C:\Program Files\Video ActiveX Access\ FOUND !

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Corrupted keys


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}"="crawley"

[HKEY_CLASSES_ROOT\CLSID\{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}\InProcServer32]
@="C:\WINDOWS\system32\igpfced.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}\InProcServer32]
@="C:\WINDOWS\system32\igpfced.dll"



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"="kdbgf.exe"

kdbgf.exe detected !


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Rustock



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.4
DNS Server Search Order: 85.255.112.137

HKLM\SYSTEM\CCS\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CCS\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: DhcpNameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CCS\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: NameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS1\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS1\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: DhcpNameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS1\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: NameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS3\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS3\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: DhcpNameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CS3\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: NameServer=85.255.114.4,85.255.112.137
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.4 85.255.112.137
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.4 85.255.112.137
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.114.4 85.255.112.137


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Scanning for wininet.dll infection


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ End

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 April 2008 - 02:34 PM

Hi Have you got McAfee updated or is the programs subscription actually run out?
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 14 April 2008 - 03:02 PM

Scotty- Thank you for the amazing response. The computer has Mcafee 2005 on it and expired in 2006. :smack: .- Jcatsmom

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 April 2008 - 03:19 PM

Firstly then, we need to properly remove McAfee
Step 1
1. Click Start, Settings, Control Panel.
2. Click Add or Remove Programs.
3. Select the McAfee product.
4. Click Remove and follow the steps provided.

Step 2- Download and run MCPR.exe
1. Download the removal tool from:
http://download.mcaf...atches/MCPR.exe

2. Click Save and save the file to a folder on your computer.
3.Navigate to the folder where the file was saved.
4. Make sure all McAfee windows are closed.
5. Double-click MCPR.exe to run the removal tool.
6.Restart your computer after receiving the message CleanUp Successful.

Your McAfee product will not be fully removed until the system is restarted.


Then install this good free anti-virus.
Click Here

Finally, post a new HijackThis log so I can see it's done.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 14 April 2008 - 06:30 PM

Scotty- Here's the next HJT scan. You did not ask me to run AVG yet, so I have just done the McAfee removal and installation of AVG. I hope this was right.- Jcatsmom

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:16 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\SC\SpyCrush 3.3\SpyCrush 3.3.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\LEAHTA~1\LOCALS~1\Temp\2008414191238_mcinfo.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SpyCrush 3.3] "C:\Program Files\SC\SpyCrush 3.3\SpyCrush 3.3.exe" /h
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\LEAHTA~1\LOCALS~1\Temp\2008414191238_mcinfo.exe /insfin
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www112.coolsa...oad/cscmv5X.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137
O17 - HKLM\System\CS1\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer = 85.255.114.4,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137
O22 - SharedTaskScheduler: crawley - {8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab} - C:\WINDOWS\system32\igpfced.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10347 bytes

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 15 April 2008 - 01:45 AM

Hi

Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer = 85.255.114.4,85.255.112.137
    O17 - HKLM\System\CCS\Services\Tcpip\..\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}: NameServer = 85.255.114.4,85.255.112.137
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17725E72-CFF8-41B5-99AA-4323B39C8802}: NameServer = 85.255.114.4,85.255.112.137
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
Finally, please post the contents of the logfile C:\fixwareout\report.txt

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)



Run Smitfraudfix
Open the SmitfraudFix folder again and double-click the Smitfraudfix icon (Windows NT Command Script)
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
Wareout log
Rapport.txt
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 15 April 2008 - 04:03 PM

Hi, Scotty. I need help! I ran FixWarout and it has cleared the DNS problems per HJT scan. I flushed ipconfig. TCP/IP is configured to obtain DNS automatically. I ran Smifraudfix as directed and am attaching the log.

I hit my problem with Combofix. I was rushing to do the scans this morning and did not killall or stop AVG. The program ran, but gave me the message that file Documents and Settings\Nathan\Local Settings\temp\SQLite~1 is corrupt and unreadable. It says to run chdsk utility. I await your recommendation before running that.

Having realized that I forgot to do "%userprofile%\desktop\combofix.exe" /killall , I tried this step (entered without the quotation marks). After entering this in the Run box, I get the message Cannot find c:\ Documents. Help! Many thanks.- Jcatsmom

Username "Shannon Talley" - 04/15/2008 10:39:33 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.4 85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{17725E72-CFF8-41B5-99AA-4323B39C8802}
"nameserver"="85.255.114.4,85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}
"nameserver"="85.255.114.4,85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2810EB22-763D-4D0C-9450-64BBD1758685}
"DhcpNameServer"="85.255.114.4,85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{390A892E-DE5E-48B3-ACCB-4040DE9CF7CB}
"DhcpNameServer"="85.255.114.4,85.255.112.137" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdbgf.exe"
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"DLBTCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLBTtime.dll,_RunDLLEntry@16"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1171159395\\ee\\AOLSoftware.exe"
"mmtask"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"Zune Launcher"="\"C:\\Program Files\\Zune\\ZuneLauncher.exe\""
"SpyCrush 3.3"="\"C:\\Program Files\\SC\\SpyCrush 3.3\\SpyCrush 3.3.exe\" /h"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"dscactivate"="\"C:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe\""
"msci"="C:\\DOCUME~1\\LEAHTA~1\\LOCALS~1\\Temp\\2008414191238_mcinfo.exe /insfin"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

SmitFraudFix v2.314

Scan done at 11:19:02.25, Tue 04/15/2008
Run from C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}"="crawley"

[HKEY_CLASSES_ROOT\CLSID\{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}\InProcServer32]
@="C:\WINDOWS\system32\igpfced.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}\InProcServer32]
@="C:\WINDOWS\system32\igpfced.dll"


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Killing process


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ hosts

127.0.0.1 localhost

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Generic Renos Fix

GenericRenosFix by S!Ri


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Deleting infected files


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ DNS



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Deleting Temp Files


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdbgf.exe"

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Registry Cleaning

Registry Cleaning done.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Reboot

C:\WINDOWS\system32\kdbgf.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ End

ComboFix 08-04-14.2 - Shannon Talley 2008-04-15 11:26:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.98 [GMT -6:00]
Running from: C:\Documents and Settings\Shannon Talley\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SystemDoctor Free
C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\Abbr
C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\HOURS
C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\ProductCode
C:\Documents and Settings\Nathan Garner\Application Data\SystemDoctor Free
C:\Documents and Settings\Nathan Garner\Application Data\SystemDoctor Free\Logs\update.log
C:\Documents and Settings\Nathan Garner\err.log
C:\Documents and Settings\Nathan Garner\Favorites\Online Security Test.url
C:\Documents and Settings\Nathan Garner\ResErrors.log
C:\Documents and Settings\Shannon Talley\Application Data\SystemDoctor Free
C:\Documents and Settings\Shannon Talley\Application Data\SystemDoctor Free\Logs\update.log
C:\Documents and Settings\Shannon Talley\err.log
C:\Documents and Settings\Shannon Talley\ResErrors.log
C:\Program Files\Common Files\SystemDoctor
C:\Program Files\Common Files\SystemDoctor\err.log
C:\Program Files\drantispy
C:\Program Files\sc\SpyCrush 3.3
C:\Program Files\sc\SpyCrush 3.3\blacklist.txt
C:\Program Files\sc\SpyCrush 3.3\Lang\English.ini
C:\Program Files\sc\SpyCrush 3.3\msvcp71.dll
C:\Program Files\sc\SpyCrush 3.3\msvcr71.dll
C:\Program Files\sc\SpyCrush 3.3\sc.dat
C:\Program Files\sc\SpyCrush 3.3\SpyCrush 3.3.exe
C:\Program Files\sc\SpyCrush 3.3\SpyCrush 3.3.url
C:\Program Files\sc\SpyCrush 3.3\uninst.exe
C:\Program Files\VirusLocker
C:\Program Files\VirusLocker\VirusLocker.exe
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 11:15 . 2005-03-06 14:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-15 11:15 . 2005-03-06 13:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-15 11:15 . 2008-04-15 11:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-15 11:09 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-15 11:09 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-15 11:09 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-15 11:09 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-15 11:09 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-15 11:09 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-15 11:09 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-15 10:39 . 2008-04-15 10:45 <DIR> d-------- C:\fixwareout
2008-04-15 10:26 . 2008-04-15 10:32 <DIR> d-------- C:\Documents and Settings\Shannon Talley\Application Data\AVG7
2008-04-14 19:25 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\Leah Talley\Application Data\AVG7
2008-04-14 19:24 . 2008-04-14 19:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-14 19:24 . 2008-04-14 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-14 19:24 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-13 21:45 . 2008-04-15 11:19 4,508 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-13 21:07 . 2008-04-13 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 18:20 . 2008-03-30 21:05 <DIR> d-------- C:\ae2f743828b652f46ce646d64bfce1
2008-03-30 10:49 . 2008-03-30 10:49 <DIR> d-------- C:\Program Files\UbiSoft
2008-03-28 19:51 . 2008-04-04 21:42 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-03-28 19:51 . 2008-03-28 19:51 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-03-28 00:33 . 2008-03-28 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-24 16:48 . 2008-03-24 16:48 98,352 --a--c--- C:\Documents and Settings\Nathan Garner\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 17:29 --------- d-----w C:\Program Files\SC
2008-04-15 17:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 02:53 --------- d-----w C:\Program Files\Dl_cats
2008-04-07 04:39 --------- d-----w C:\Program Files\LimeWire
2008-04-07 04:39 --------- d-----w C:\Program Files\Incomplete
2008-04-03 02:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 02:55 --------- d-----w C:\Program Files\THQ
2008-04-03 02:26 --------- d-----w C:\Program Files\The Learning Company
2008-04-03 02:24 --------- d-----w C:\Program Files\Scholastic
2008-03-30 16:47 --------- d-----w C:\Program Files\Pony Luv
2008-03-29 07:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-28 06:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-25 00:21 696 -c--a-w C:\Documents and Settings\Nathan Garner\Application Data\wklnhst.dat
2006-07-12 20:55 160 -c--a-w C:\Documents and Settings\Leah Talley\Application Data\wklnhst.dat
2005-03-22 02:53 0 -c--a-w C:\Documents and Settings\Shannon Talley\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 22:38 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 15:52 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 15:48 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03 135168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 13:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 15:41 69632]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 22:08 50688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-22 08:54 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 06:50 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe" [2007-10-08 15:50 41824]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-10-31 14:34 20752]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-23 19:54 26112]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"msci"="C:\DOCUME~1\LEAHTA~1\LOCALS~1\Temp\2008414191238_mcinfo.exe" [2005-07-01 19:26 335872]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 19:24 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-14 19:24 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-06 14:07:03 156784]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\1171159395\\ee\\aolsoftware.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\lib\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 11:29:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
msci = C:\DOCUME~1\LEAHTA~1\LOCALS~1\Temp\2008414191238_mcinfo.exe /insfin???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????A?X?D????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-15 11:30:58
ComboFix-quarantined-files.txt 2008-04-15 17:30:51

Pre-Run: 56,985,968,640 bytes free
Post-Run: 56,969,826,304 bytes free
.
2008-03-26 02:28:30 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:19 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\LEAHTA~1\LOCALS~1\Temp\2008414191238_mcinfo.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\LEAHTA~1\LOCALS~1\Temp\2008414191238_mcinfo.exe /insfin
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www112.coolsa...oad/cscmv5X.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9093 bytes

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 15 April 2008 - 04:23 PM

Hi

Sounds a strange one. Let's do this first.

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

XP Media Centre is based upon XP Professional

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 15 April 2008 - 05:08 PM

Scotty- The computer is not cooperating. I ran combofix (I had not quitted AVG *sigh*.) It gave me error message. Application regt.cfexe failed to initialize error )X0000005 Click OK to terminate. I Stopped AVG. Tried to run again- messge Already had recovery Console installed. Click ok to terminate. error 0000005 showed up again. WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons Help! :pullhair:

#10 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 16 April 2008 - 03:48 AM

Hi

It doesnt look like we will be needing Combofix again.

Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

*Note* If you do not have Firefox or Opera, those options will be greyed out.



Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here with a new HijackThis log.

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

    Advertisements

Register to Remove


#11 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 16 April 2008 - 10:22 AM

Good morning, Scotty. The computer seems to be shaping up. :thumbup: I don't know if it has interferred with operations, but several processes had been trying to occur on opening the computer each time. Separate users had files waiting to be written to CD, so I have resolved that. Apparently they had initiated installation of MS Word, but I haven't wanted to go ahead with it until we had the malware resolved. Should I install or is there a way we can cancel for now? Malwarebytes had good success. Here are my logs:

Malwarebytes' Anti-Malware 1.11
Database version: 636

Scan type: Full Scan (C:\|)
Objects scanned: 115973
Time elapsed: 36 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0890c1d6-debd-4cbc-97cd-dfafb8d06654} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0e863328-916d-4032-a57d-b4d234830ae8} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0ef44c21-275e-4614-8564-8c46097a03d9} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{25fc01e9-92ac-443f-8496-7e44e0dd04ab} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b491308-39ee-4a1e-8020-d4ef364149f8} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2cf3105f-e9ad-4bc2-860b-09db079d498e} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{344b79d5-d3db-469b-a31e-aaca1d75b105} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5dbd9711-ceaf-4c20-9ce2-b17167271c24} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{803bd939-d225-4b05-85f8-cf5ee87d16fe} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{87032659-2467-431f-8558-35a2cb66f7c7} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{96d36795-387d-4504-a42e-a2dc60684f9d} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf06fda2-9f4e-4c12-b7e2-4368159bc178} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf1b8dd1-0374-4e99-8a63-de041f80f5b4} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d1ee4f9e-7ed5-4838-ad46-57a393d09e91} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d788c427-3125-4ee6-b6da-8fdb4feb7692} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec4db87a-a091-4a6d-b14f-69856a033c99} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d72322bb-82bf-4c23-b834-90ea8a099fc1} (Rogue.Spy.Crush) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\zangosa (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Shannon Talley\Start Menu\Programs\SpyCrush 3.3 (Rogue.SpyCrush) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWay) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\VirusLocker\VirusLocker.exe.vir (Rogue.Virus.Locker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0081555.exe (Rogue.Virus.Locker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shannon Talley\Start Menu\Programs\SpyCrush 3.3\SpyCrush 3.3 Website.lnk (Rogue.SpyCrush) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shannon Talley\Start Menu\Programs\SpyCrush 3.3\SpyCrush 3.3.lnk (Rogue.SpyCrush) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shannon Talley\Start Menu\Programs\SpyCrush 3.3\Uninstall SpyCrush 3.3.lnk (Rogue.SpyCrush) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shannon Talley\Desktop\SpyCrush 3.3.lnk (Rogue.SpyCrush) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shannon Talley\Start Menu\SpyCrush 3.3.lnk (Rogue.SpyCrush) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shannon Talley\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyCrush 3.3.lnk (Rogue.SpyCrush) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nathan Garner\Desktop\DrAntispy.lnk (Rogue.Dr.Antispy) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:39 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www112.coolsa...oad/cscmv5X.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8748 bytes

#12 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 16 April 2008 - 01:09 PM

Hi

Let's just do one more scan.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new HijackThis log.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#13 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 16 April 2008 - 07:13 PM

Scotty- It looks to me like Cool Savings may be the only problem left, other than removing quarantined traces. Thank you for your help! Jcatsmom

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 16, 2008 6:57:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/04/2008
Kaspersky Anti-Virus database records: 711370
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 82965
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 01:08:30

Infected Object Name / Virus Name / Last Action
C:\1b1494534e80e918e4b9eacb\ZuneSetup.exe Object is locked skipped
C:\835f4f26d21e4deb281dce1d\en-US\ZuneSetup.exe.mui Object is locked skipped
C:\835f4f26d21e4deb281dce1d\es-ES\ZuneSetup.exe.mui Object is locked skipped
C:\835f4f26d21e4deb281dce1d\fr-FR\ZuneSetup.exe.mui Object is locked skipped
C:\835f4f26d21e4deb281dce1d\packages\muauth.cab Object is locked skipped
C:\835f4f26d21e4deb281dce1d\packages\Zune-es.msi Object is locked skipped
C:\835f4f26d21e4deb281dce1d\packages\Zune-fr.msi Object is locked skipped
C:\835f4f26d21e4deb281dce1d\packages\Zune-x86.msi Object is locked skipped
C:\835f4f26d21e4deb281dce1d\ZuneSetup.exe Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\en-US\ZuneSetup.exe.mui Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\es-ES\ZuneSetup.exe.mui Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\fr-FR\ZuneSetup.exe.mui Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\packages\muauth.cab Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\packages\Zune-es.msi Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\packages\Zune-fr.msi Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\packages\Zune-x86.msi Object is locked skipped
C:\ae2f743828b652f46ce646d64bfce1\ZuneSetup.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\BFTS\BFTSDatabase.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Leah Talley\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Leah Talley\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Leah Talley\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nathan Garner\Local Settings\Application Data\Microsoft\Zune\CurrentDatabase_365.wmdb Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shannon Talley\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Shannon Talley\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Shannon Talley\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Shannon Talley\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Shannon Talley\Application Data\MySpace\IM\Logs\MySpaceIM-20080416-171206.log Object is locked skipped
C:\Documents and Settings\Shannon Talley\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shannon Talley\Desktop\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Shannon Talley\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Shannon Talley\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Shannon Talley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shannon Talley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shannon Talley\Local Settings\Application Data\SupportSoft\DellSupportCenter\Shannon Talley\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Shannon Talley\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Shannon Talley\Local Settings\Temp\~DF421.tmp Object is locked skipped
C:\Documents and Settings\Shannon Talley\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shannon Talley\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shannon Talley\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\SC\SpyCrush 3.3\SpyCrush 3.3.exe.vir Infected: not-a-virus:FraudTool.Win32.SpyHeal.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0081511.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0081525.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0081526.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0081541.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0081559.exe Infected: not-a-virus:FraudTool.Win32.SpyHeal.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CpnMgr.dll Infected: not-a-virus:AdWare.Win32.CoolSavings.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{44898EDC-7E05-40CF-9400-67B07819B526}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:25 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3970391799-2171398631-2287538754-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Shannon Talley')
O4 - HKUS\S-1-5-21-3970391799-2171398631-2287538754-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Shannon Talley')
O4 - HKUS\S-1-5-21-3970391799-2171398631-2287538754-1007\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Shannon Talley')
O4 - HKUS\S-1-5-21-3970391799-2171398631-2287538754-1007\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User 'Shannon Talley')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www112.coolsa...oad/cscmv5X.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9388 bytes

#14 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 17 April 2008 - 01:45 AM

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
C:\WINDOWS\Downloaded Program Files\CpnMgr.dll

Folder::
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix.zip
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#15 Jcatsmom

Jcatsmom

    Authentic Member

  • Authentic Member
  • PipPip
  • 154 posts

Posted 17 April 2008 - 04:20 PM

Scotty- I ran the combofix to delete according to your directions. After it finished running, an error message balloon indicated that combofix was corrupted. (This is a version I downloaded today.) Another balloon about the firewall being off popped up before I could record the exact message, so I checked eventvwr-system log. I found an interesting message. It tells me that the hard drive has a bad block in it... I am including the logs you requested. - Jcatsmom


ComboFix 08-04-16.5 - Shannon Talley 2008-04-17 15:55:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.225 [GMT -6:00]
Running from: C:\Documents and Settings\Shannon Talley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shannon Talley\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Downloaded Program Files\CpnMgr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix.zip\
.
---- Previous Run -------
.
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix.zip\
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\dumphive.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\exit.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\HostsChk.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\IEDFix.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\restart.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.cmd
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\SmiUpdate.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\SrchSTS.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\swreg.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\swsc.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\swxcacls.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\UIFix.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\unzip.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\VACFix.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\VCCLSID.exe
C:\Documents and Settings\Shannon Talley\Desktop\SmitfraudFix\SmitfraudFix\WS2Fix.exe
C:\WINDOWS\Downloaded Program Files\CpnMgr.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-16 16:38 . 2008-04-16 16:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-16 16:38 . 2008-04-16 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-16 09:16 . 2008-04-16 10:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-16 09:16 . 2008-04-16 09:16 <DIR> d-------- C:\Documents and Settings\Shannon Talley\Application Data\Malwarebytes
2008-04-16 09:16 . 2008-04-16 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 09:15 . 2008-04-16 09:15 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-16 09:10 . 2008-04-16 09:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-15 20:12 . 2008-04-15 20:14 <DIR> d-------- C:\Documents and Settings\Nathan Garner\Application Data\AVG7
2008-04-15 11:15 . 2005-03-06 14:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-15 11:15 . 2005-03-06 13:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-15 11:15 . 2008-04-15 11:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-15 11:09 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-15 11:09 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-15 11:09 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-15 11:09 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-15 11:09 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-15 11:09 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-15 11:09 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-15 10:39 . 2008-04-15 10:45 <DIR> d-------- C:\fixwareout
2008-04-15 10:26 . 2008-04-15 10:32 <DIR> d-------- C:\Documents and Settings\Shannon Talley\Application Data\AVG7
2008-04-14 19:25 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\Leah Talley\Application Data\AVG7
2008-04-14 19:24 . 2008-04-14 19:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-14 19:24 . 2008-04-14 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-14 19:24 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-13 21:45 . 2008-04-15 11:19 4,508 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-13 21:07 . 2008-04-13 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 18:20 . 2008-03-30 21:05 <DIR> d-------- C:\ae2f743828b652f46ce646d64bfce1
2008-03-30 10:49 . 2008-03-30 10:49 <DIR> d-------- C:\Program Files\UbiSoft
2008-03-28 19:51 . 2008-04-04 21:42 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-03-28 19:51 . 2008-03-28 19:51 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-03-28 00:33 . 2008-03-28 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-24 16:48 . 2008-03-24 16:48 98,352 --a--c--- C:\Documents and Settings\Nathan Garner\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 01:33 160 -c--a-w C:\Documents and Settings\Shannon Talley\Application Data\wklnhst.dat
2008-04-15 17:29 --------- d-----w C:\Program Files\SC
2008-04-15 17:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 02:53 --------- d-----w C:\Program Files\Dl_cats
2008-04-07 04:39 --------- d-----w C:\Program Files\LimeWire
2008-04-07 04:39 --------- d-----w C:\Program Files\Incomplete
2008-04-03 02:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 02:55 --------- d-----w C:\Program Files\THQ
2008-04-03 02:26 --------- d-----w C:\Program Files\The Learning Company
2008-04-03 02:24 --------- d-----w C:\Program Files\Scholastic
2008-03-30 16:47 --------- d-----w C:\Program Files\Pony Luv
2008-03-29 07:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-28 06:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-25 00:21 696 -c--a-w C:\Documents and Settings\Nathan Garner\Application Data\wklnhst.dat
2006-07-12 20:55 160 -c--a-w C:\Documents and Settings\Leah Talley\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_11.30.39.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 17:23:58 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-17 21:59:10 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 05:21:48 3,592,192 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
- 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
- 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
+ 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2007-12-07 02:21:45 133,120 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
+ 2008-03-01 13:06:21 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
- 2007-12-06 11:00:57 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
- 2007-12-07 02:21:45 230,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
- 2007-12-06 04:59:51 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
- 2007-12-07 02:21:46 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
- 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
- 2007-12-06 11:01:25 625,664 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
+ 2008-02-29 08:55:46 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
- 2007-12-07 02:21:47 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2008-03-02 00:36:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
- 2007-12-07 02:21:47 478,208 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
+ 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
- 2008-01-11 05:53:32 44,544 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
- 2007-12-07 02:21:48 105,984 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
- 2007-12-07 02:21:48 1,159,680 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
- 2007-12-07 02:21:48 824,832 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
- 2004-08-04 11:00:00 45,568 ----a-w C:\WINDOWS\SYSTEM32\DNSRSLVR.DLL
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2007-12-07 02:21:45 133,120 -c--a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-04-04 00:05:09 302,032 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-04-16 23:10:29 302,032 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c--a-w C:\WINDOWS\SYSTEM32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
- 2007-12-06 11:00:57 70,656 -c--a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 -c--a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
- 2007-12-07 02:21:45 230,400 -c--a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
- 2007-12-06 04:59:51 161,792 -c--a-w C:\WINDOWS\SYSTEM32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c--a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 -c--a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
- 2007-12-07 02:21:46 44,544 -c--a-w C:\WINDOWS\SYSTEM32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c--a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2007-12-07 02:21:47 27,648 -c--a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-03-05 16:30:54 19,148,408 -c--a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 -c--a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2007-12-07 02:21:47 459,264 -c--a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c--a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-03-02 00:36:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 -c--a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2007-12-07 02:21:48 671,232 -c--a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2007-12-07 02:21:48 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
+ 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2007-03-06 01:22:36 14,048 -c----w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
- 2007-12-07 02:21:48 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 22:38 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 15:52 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 15:48 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03 135168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 13:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 15:41 69632]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 22:08 50688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-22 08:54 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 06:50 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe" [2007-10-08 15:50 41824]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-10-31 14:34 20752]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-23 19:54 26112]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 19:24 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-14 19:24 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-06 14:07:03 156784]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\1171159395\\ee\\aolsoftware.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\lib\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 16:00:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\msiexec.exe
C:\WINDOWS\SYSTEM32\msiexec.exe
C:\WINDOWS\SYSTEM32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-04-17 16:05:20 - machine was rebooted [Shannon Talley]
ComboFix-quarantined-files.txt 2008-04-17 22:05:13
ComboFix2.txt 2008-04-15 17:31:00

Pre-Run: 56,672,268,288 bytes free
Post-Run: 56,670,957,568 bytes free
.


2008-04-16 23:04:09 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:30 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171159395\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www112.coolsa...oad/cscmv5X.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8831 bytes

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users