Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer infestation - Fake warnings - Screensaver & Background go


  • This topic is locked This topic is locked

#1
timbo428

timbo428

    Member

  • Member
  • PipPip
  • 35 posts
Dell Computer running Windows XP. FireFox for internet.

Various things happen. What I think is a fake error screen comes up frequently that says "Panic Stack Switch" or "No More IRP Locations" "KMode Exception Not Handled" "Maximum Wait Objects Exceeded" Then says it's resetting....the screen bounces quickly to a different display mode, then back to normal and everything seems fine (lol).

Spyware scanners find and fix lots of "outerinfo" files, but things still come back

Frequently get a "Switch To" prompt which, when closed, always makes IE pop something up.

Screensaver and background gone/altered. (Your system is infected with spyware!)

Constantly getting IE popups

Latest this morning I have "Antivirus XP 2008" telling me my computer is infected (did not install)
and a "Freeware Sysinternals Blue Screensaver" Keeps popping up on the screen.

I am not the brightest l.e.d. in the "bin" when it comes to computers...but I can follow instructions pretty well. I greatly appreciate any help you can give me. I will check back with this frequently and provide any other information that is needed.

PANDA SCAN attached because it was wrapping badly

HJT SCAN:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:58 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\ASW\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lphc1nmj0ee4e.exe
C:\Program Files\a?sembly\?ti2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ASW\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40D132DC-C280-4E3A-B916-EEF9F3060D7A} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B3ACDF45-1BD8-4D2A-DA29-30E6748F09E2} - C:\WINDOWS\system32\fofzlmk.dll (file missing)
O2 - BHO: {af8a3b0a-e4b1-559a-cf24-da98efee286f} - {f682eefe-89ad-42fc-a955-1b4ea0b3a8fa} - C:\WINDOWS\system32\rdamsumq.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\ASW\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTFMon] C:\kl\ctfmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphc1nmj0ee4e] C:\WINDOWS\system32\lphc1nmj0ee4e.exe
O4 - HKLM\..\Run: [SMshc7nmj0ee4e] C:\Program Files\shc7nmj0ee4e\shc7nmj0ee4e.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ogca] "C:\Program Files\??mbols\s?ool32.exe"
O4 - HKCU\..\Run: [Yci] "C:\Program Files\a?sembly\?ti2evxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O20 - Winlogon Notify: ssqolmj - ssqolmj.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\ASW\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8684 bytes

MALWARE SCAN:

Malwarebytes' Anti-Malware 1.18
Database version: 876

12:15:17 PM 6/22/2008
mbam-log-6-22-2008 (12-15-17).txt

Scan type: Quick Scan
Objects scanned: 53079
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008 (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\2V0UA4U6\!update-4495[1].0000 (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Delete on reboot.


I said before, I am not the best with computers, but if you can help me I will sing and dance at your (next) wedding. I had someone hide anything that could smash the computer very easily, but my bare hands are looking better and better! :) :)

Attached Files


  • 0

Advertisements


#2
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.


Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

First:
*Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
*Choose Exit Spybot S&D Resident

Second:
*Open Spybot S&D
*Click Mode, check Advanced Mode
*Go To Left Panel, Click Tools, then also in left panel, click Resident
*If your firewall raises a question, say OK
*Uncheck the box labeled Resident Tea-Timer and OK any prompts.
*Use File, Exit to terminate Spybot
*Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings.

===============================================


ComboFix

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.
  • 0

#3
timbo428

timbo428

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
BHowett, I am on it...but cannot do things right now. THANK YOU for your quick reply, and I will complete the items as soon as I get home. Thank you again for your time, and I will reply ASAP.
  • 0

#4
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
your welcome, and no problem just post them when you can :)
  • 0

#5
timbo428

timbo428

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Here we go. First thing I noticed, the background and screensaver tabs were back on the properties right click.

COMBO FIX & HJT Logs included!

Thank you once again for your time, already given, BHowett.

Attached Files


  • 0

#6
timbo428

timbo428

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Say, and...I'm just waiting for BHowett's kind reply. But judging from the number of views on the combo vs/ HJT logs....there is nothing I'm compromising by posting those logs, is there? :)
  • 0

#7
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts

Say, and...I'm just waiting for BHowett's kind reply. But judging from the number of views on the combo vs/ HJT logs....there is nothing I'm compromising by posting those logs, is there? :)


Hi timbo428,

no you don't have to worry about the views... its just some users or students trying to take a peek :) Could you please post the logs in the reply and not attach them it makes it a lot eaiser for me to read :)
  • 0

#8
timbo428

timbo428

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Okay, just checking, and sorry....here they are (if you didn't already look into them)

ComboFix 08-06-20.4 - Mike 2008-06-22 17:24:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.351 [GMT -5:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\rhc5nmj0ee4e
C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\Guest\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Guest\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\Mike\Application Data\rhc5nmj0ee4e
C:\Documents and Settings\Mike\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Mike\Favorites\Online Security Guide.lnk
C:\Program Files\asembl~1
C:\Program Files\asembl~1\?ti2evxx.exe
C:\Program Files\asks~1
C:\Program Files\mbols~1
C:\Program Files\shc7nmj0ee4e
C:\Temp\abW9
C:\Temp\fse
C:\WINDOWS\icroso~1.net
C:\WINDOWS\icroso~1.net\?icrosoft.NET\
C:\WINDOWS\system32\baenndao.ini
C:\WINDOWS\system32\blphc1nmj0ee4e.scr
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\iwnwxdbe.ini
C:\WINDOWS\SYSTEM32\jjjlm.bak1
C:\WINDOWS\SYSTEM32\jjjlm.bak2
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\lphc1nmj0ee4e.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phc1nmj0ee4e.bmp
C:\WINDOWS\system32\pphc1nmj0ee4e.exe
C:\WINDOWS\SYSTEM32\qqtwa.bak1
C:\WINDOWS\SYSTEM32\qqtwa.ini
C:\WINDOWS\system32\rMa02yy

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_DOMAINSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-22 12:20 . 2008-06-22 12:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-22 11:58 . 2008-06-22 11:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 10:32 . 2008-06-22 10:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-22 10:31 . 2008-06-22 10:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-06-22 09:59 . 2008-06-22 10:00 <DIR> d-------- C:\Program Files\rhc5nmj0ee4e
2008-06-21 21:05 . 2008-06-21 20:55 60,928 --a------ C:\WINDOWS\SYSTEM32\1BC.tmp
2008-06-21 20:55 . 2008-06-21 20:45 60,928 --a------ C:\WINDOWS\SYSTEM32\F1.tmp
2008-06-21 18:52 . 2008-06-21 18:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-21 15:43 . 2008-06-21 15:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 15:43 . 2008-06-21 15:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-06-21 15:43 . 2008-06-21 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 15:43 . 2008-06-19 17:55 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-21 15:43 . 2008-06-19 17:55 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-21 15:10 . 2008-06-21 14:59 60,928 --a------ C:\WINDOWS\SYSTEM32\4F0.tmp
2008-06-21 14:09 . 2008-06-21 13:59 60,928 --a------ C:\WINDOWS\SYSTEM32\4A7.tmp
2008-06-21 13:39 . 2008-06-21 13:29 60,928 --a------ C:\WINDOWS\SYSTEM32\482.tmp
2008-06-21 13:09 . 2008-06-21 12:59 60,928 --a------ C:\WINDOWS\SYSTEM32\3FA.tmp
2008-06-21 12:06 . 2008-06-21 12:06 <DIR> d-------- C:\Deckard
2008-06-21 10:34 . 2008-06-21 10:35 299 --a------ C:\WINDOWS\wininit.ini
2008-06-21 09:46 . 2008-06-22 17:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-21 09:46 . 2008-06-21 09:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-21 09:34 . 2008-06-21 09:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 09:34 . 2008-06-21 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 09:02 . 2008-06-21 08:51 60,928 --a------ C:\WINDOWS\SYSTEM32\246.tmp
2008-06-21 08:31 . 2008-06-21 08:21 60,928 --a------ C:\WINDOWS\SYSTEM32\224.tmp
2008-06-21 06:50 . 2008-06-21 06:40 60,928 --a------ C:\WINDOWS\SYSTEM32\1B3.tmp
2008-06-21 06:20 . 2008-06-21 06:10 60,928 --a------ C:\WINDOWS\SYSTEM32\191.tmp
2008-06-21 06:00 . 2008-06-21 05:50 60,928 --a------ C:\WINDOWS\SYSTEM32\17A.tmp
2008-06-21 05:07 . 2008-06-21 04:57 60,928 --a------ C:\WINDOWS\SYSTEM32\145.tmp
2008-06-21 04:17 . 2008-06-21 04:07 60,928 --a------ C:\WINDOWS\SYSTEM32\10D.tmp
2008-06-21 03:16 . 2008-06-21 03:06 60,928 --a------ C:\WINDOWS\SYSTEM32\C9.tmp
2008-06-21 02:46 . 2008-06-21 02:36 60,928 --a------ C:\WINDOWS\SYSTEM32\A7.tmp
2008-06-21 02:16 . 2008-06-21 02:06 60,928 --a------ C:\WINDOWS\SYSTEM32\85.tmp
2008-06-21 01:36 . 2008-06-21 01:26 60,928 --a------ C:\WINDOWS\SYSTEM32\56.tmp
2008-06-21 01:05 . 2008-06-21 00:55 60,928 --a------ C:\WINDOWS\SYSTEM32\34.tmp
2008-06-20 23:58 . 2008-06-20 23:48 60,928 --a------ C:\WINDOWS\SYSTEM32\13.tmp
2008-06-20 20:57 . 2008-06-20 20:57 3,115 --a------ C:\WindowsLive.png
2008-06-20 20:48 . 2008-06-20 20:37 60,928 --a------ C:\WINDOWS\SYSTEM32\B7.tmp
2008-06-20 20:27 . 2008-06-20 20:17 60,928 --a------ C:\WINDOWS\SYSTEM32\9F.tmp
2008-06-20 19:37 . 2008-06-20 19:27 60,928 --a------ C:\WINDOWS\SYSTEM32\61.tmp
2008-06-20 18:50 . 2008-06-20 18:40 60,928 --a------ C:\WINDOWS\SYSTEM32\773.tmp
2008-06-19 11:25 . 2008-06-19 11:25 1,293,606 --a------ C:\fm.jpg
2008-06-18 13:52 . 2008-06-18 13:52 56,268 --a------ C:\mariocat3.jpg
2008-06-18 13:52 . 2008-06-18 13:52 34,679 --a------ C:\mariocat2.jpg
2008-06-18 12:05 . 2008-06-18 12:05 19,786 --a------ C:\catmario.jpg
2008-06-18 09:40 . 2008-06-18 09:40 19,738 --a------ C:\mariocat.jpg
2008-06-17 23:06 . 2008-06-17 23:06 4,136 --a------ C:\default.jpg
2008-06-06 06:23 . 2008-06-06 06:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-30 09:27 . 2008-05-30 09:27 502,340 --a------ C:\Jennifer2006.jpg
2008-05-30 09:21 . 2008-05-30 09:21 451,722 --a------ C:\1827858-R1-034-15A.jpg
2008-05-30 09:21 . 2008-05-30 09:21 327,721 --a------ C:\1827858-R1-002-00A.jpg
2008-05-30 09:19 . 2008-05-30 09:19 565,027 --a------ C:\1725718-R1-024-10A.jpg
2008-05-30 09:19 . 2008-05-30 09:19 401,278 --a------ C:\1725717-R1-026-11A.jpg
2008-05-30 09:18 . 2008-05-30 09:18 409,510 --a------ C:\1725717-R1-026-11A (2).jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 14:58 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVG7
2008-06-21 14:45 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-21 14:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 07:36 --------- d-----w C:\Program Files\PokerStars
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40D132DC-C280-4E3A-B916-EEF9F3060D7A}]
C:\WINDOWS\system32\mljjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3ACDF45-1BD8-4D2A-DA29-30E6748F09E2}]
C:\WINDOWS\system32\fofzlmk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f682eefe-89ad-42fc-a955-1b4ea0b3a8fa}]
C:\WINDOWS\system32\rdamsumq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ogca"="C:\Program Files\??mbols\s?ool32.exe" [ ]
"Yci"="C:\Program Files\a?sembly\?ti2evxx.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-27 02:10 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 14:45 53248]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 17:56 188416]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28 684032]
"!AVG Anti-Spyware"="C:\ASW\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 08:33 579584]
"CTFMon"="C:\kl\ctfmon.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"SMshc7nmj0ee4e"="C:\Program Files\shc7nmj0ee4e\shc7nmj0ee4e.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-15 00:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-09 16:24:46 113664]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-08-27 02:09:43 36953]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 04:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqolmj]
ssqolmj.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 00:07:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 17:29:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ASW\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-22 17:35:33 - machine was rebooted [Mike]
ComboFix-quarantined-files.txt 2008-06-22 22:35:30

Pre-Run: 43,943,710,720 bytes free
Post-Run: 44,011,823,104 bytes free

209 --- E O F --- 2007-11-15 09:05:13


and

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:12 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ASW\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\ASW\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40D132DC-C280-4E3A-B916-EEF9F3060D7A} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B3ACDF45-1BD8-4D2A-DA29-30E6748F09E2} - C:\WINDOWS\system32\fofzlmk.dll (file missing)
O2 - BHO: {af8a3b0a-e4b1-559a-cf24-da98efee286f} - {f682eefe-89ad-42fc-a955-1b4ea0b3a8fa} - C:\WINDOWS\system32\rdamsumq.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\ASW\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTFMon] C:\kl\ctfmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMshc7nmj0ee4e] C:\Program Files\shc7nmj0ee4e\shc7nmj0ee4e.exe
O4 - HKCU\..\Run: [Ogca] "C:\Program Files\??mbols\s?ool32.exe"
O4 - HKCU\..\Run: [Yci] "C:\Program Files\a?sembly\?ti2evxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O20 - Winlogon Notify: ssqolmj - ssqolmj.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\ASW\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8243 bytes


Another thanks,
-Timbo
  • 0

#9
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi timbo428,

Can you tell me if you know what these are? They look like they might be pictures you have saved to your C:\ drive

2008-06-19 11:25 . 2008-06-19 11:25 1,293,606 --a------ C:\fm.jpg
2008-06-18 13:52 . 2008-06-18 13:52 56,268 --a------ C:\mariocat3.jpg
2008-06-18 13:52 . 2008-06-18 13:52 34,679 --a------ C:\mariocat2.jpg
2008-06-18 12:05 . 2008-06-18 12:05 19,786 --a------ C:\catmario.jpg
2008-06-18 09:40 . 2008-06-18 09:40 19,738 --a------ C:\mariocat.jpg
2008-06-17 23:06 . 2008-06-17 23:06 4,136 --a------ C:\default.jpg
2008-05-30 09:27 . 2008-05-30 09:27 502,340 --a------ C:\Jennifer2006.jpg
2008-05-30 09:21 . 2008-05-30 09:21 451,722 --a------ C:\1827858-R1-034-15A.jpg
2008-05-30 09:21 . 2008-05-30 09:21 327,721 --a------ C:\1827858-R1-002-00A.jpg
2008-05-30 09:19 . 2008-05-30 09:19 565,027 --a------ C:\1725718-R1-024-10A.jpg
2008-05-30 09:19 . 2008-05-30 09:19 401,278 --a------ C:\1725717-R1-026-11A.jpg
2008-05-30 09:18 . 2008-05-30 09:18 409,510 --a------ C:\1725717-R1-026-11A (2).jpg

Let me know if you in fact put/saved them on your C:\ drive

===============================================

Please do the following:
Combofix Script.txt
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\1BC.tmp
C:\WINDOWS\SYSTEM32\F1.tmp
C:\WINDOWS\SYSTEM32\4F0.tmp
C:\WINDOWS\SYSTEM32\4A7.tmp
C:\WINDOWS\SYSTEM32\482.tmp
C:\WINDOWS\SYSTEM32\3FA.tmp
C:\WINDOWS\SYSTEM32\246.tmp
C:\WINDOWS\SYSTEM32\224.tmp
C:\WINDOWS\SYSTEM32\1B3.tmp
C:\WINDOWS\SYSTEM32\191.tmp
C:\WINDOWS\SYSTEM32\17A.tmp
C:\WINDOWS\SYSTEM32\145.tmp
C:\WINDOWS\SYSTEM32\10D.tmp
C:\WINDOWS\SYSTEM32\C9.tmp
C:\WINDOWS\SYSTEM32\A7.tmp
C:\WINDOWS\SYSTEM32\85.tmp
C:\WINDOWS\SYSTEM32\56.tmp
C:\WINDOWS\SYSTEM32\34.tmp
C:\WINDOWS\SYSTEM32\13.tmp
C:\WINDOWS\SYSTEM32\B7.tmp
C:\WINDOWS\SYSTEM32\9F.tmp
C:\WINDOWS\SYSTEM32\61.tmp
C:\WINDOWS\SYSTEM32\773.tmp
C:\WindowsLive.png
Folder::
C:\Program Files\rhc5nmj0ee4e
C:\Program Files\shc7nmj0ee4e
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40D132DC-C280-4E3A-B916-EEF9F3060D7A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3ACDF45-1BD8-4D2A-DA29-30E6748F09E2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f682eefe-89ad-42fc-a955-1b4ea0b3a8fa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqolmj]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMshc7nmj0ee4e"=- 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ogca"=-
"Yci"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================


OTMoveIt2 by OldTimer


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\??mbols
    C:\Program Files\a?sembly
    Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

===============================================

Update Java


Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
===============================================

Needed in your next reply:

ComboFix Log
OTMoveIt2 Log
New HijackThis Log

And of course let me know how things are running now :)
  • 0

#10
timbo428

timbo428

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
BHowett:

I have completed your instructions exactly as directed.

1. Completed the combofix execute as listed

COMBOFIX LOG
ComboFix 08-06-20.4 - Mike 2008-06-23 8:55:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.405 [GMT -5:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\10D.tmp
C:\WINDOWS\SYSTEM32\13.tmp
C:\WINDOWS\SYSTEM32\145.tmp
C:\WINDOWS\SYSTEM32\17A.tmp
C:\WINDOWS\SYSTEM32\191.tmp
C:\WINDOWS\SYSTEM32\1B3.tmp
C:\WINDOWS\SYSTEM32\1BC.tmp
C:\WINDOWS\SYSTEM32\224.tmp
C:\WINDOWS\SYSTEM32\246.tmp
C:\WINDOWS\SYSTEM32\34.tmp
C:\WINDOWS\SYSTEM32\3FA.tmp
C:\WINDOWS\SYSTEM32\482.tmp
C:\WINDOWS\SYSTEM32\4A7.tmp
C:\WINDOWS\SYSTEM32\4F0.tmp
C:\WINDOWS\SYSTEM32\56.tmp
C:\WINDOWS\SYSTEM32\61.tmp
C:\WINDOWS\SYSTEM32\773.tmp
C:\WINDOWS\SYSTEM32\85.tmp
C:\WINDOWS\SYSTEM32\9F.tmp
C:\WINDOWS\SYSTEM32\A7.tmp
C:\WINDOWS\SYSTEM32\B7.tmp
C:\WINDOWS\SYSTEM32\C9.tmp
C:\WINDOWS\SYSTEM32\F1.tmp
C:\WindowsLive.png
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\rhc5nmj0ee4e
C:\Program Files\rhc5nmj0ee4e\database.dat
C:\Program Files\rhc5nmj0ee4e\license.txt
C:\Program Files\rhc5nmj0ee4e\MFC71.dll
C:\Program Files\rhc5nmj0ee4e\MFC71ENU.DLL
C:\Program Files\rhc5nmj0ee4e\msvcp71.dll
C:\Program Files\rhc5nmj0ee4e\msvcr71.dll
C:\Program Files\rhc5nmj0ee4e\rhc5nmj0ee4e.exe
C:\Program Files\rhc5nmj0ee4e\rhc5nmj0ee4e.exe.local
C:\Program Files\rhc5nmj0ee4e\rhc5nmj0ee4eSkin.dll
C:\Program Files\rhc5nmj0ee4e\Uninstall.exe
C:\WINDOWS\SYSTEM32\10D.tmp
C:\WINDOWS\SYSTEM32\13.tmp
C:\WINDOWS\SYSTEM32\145.tmp
C:\WINDOWS\SYSTEM32\17A.tmp
C:\WINDOWS\SYSTEM32\191.tmp
C:\WINDOWS\SYSTEM32\1B3.tmp
C:\WINDOWS\SYSTEM32\1BC.tmp
C:\WINDOWS\SYSTEM32\224.tmp
C:\WINDOWS\SYSTEM32\246.tmp
C:\WINDOWS\SYSTEM32\34.tmp
C:\WINDOWS\SYSTEM32\3FA.tmp
C:\WINDOWS\SYSTEM32\482.tmp
C:\WINDOWS\SYSTEM32\4A7.tmp
C:\WINDOWS\SYSTEM32\4F0.tmp
C:\WINDOWS\SYSTEM32\56.tmp
C:\WINDOWS\SYSTEM32\61.tmp
C:\WINDOWS\SYSTEM32\773.tmp
C:\WINDOWS\SYSTEM32\85.tmp
C:\WINDOWS\SYSTEM32\9F.tmp
C:\WINDOWS\SYSTEM32\A7.tmp
C:\WINDOWS\SYSTEM32\B7.tmp
C:\WINDOWS\SYSTEM32\C9.tmp
C:\WINDOWS\SYSTEM32\F1.tmp
C:\WindowsLive.png

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-22 12:20 . 2008-06-22 12:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-22 11:58 . 2008-06-22 11:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 10:32 . 2008-06-22 10:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-22 10:31 . 2008-06-22 10:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-06-21 18:52 . 2008-06-21 18:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-21 15:43 . 2008-06-21 15:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 15:43 . 2008-06-21 15:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-06-21 15:43 . 2008-06-21 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 15:43 . 2008-06-19 17:55 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-21 15:43 . 2008-06-19 17:55 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-21 12:06 . 2008-06-21 12:06 <DIR> d-------- C:\Deckard
2008-06-21 10:34 . 2008-06-21 10:35 299 --a------ C:\WINDOWS\wininit.ini
2008-06-21 09:46 . 2008-06-23 08:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-21 09:46 . 2008-06-21 09:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-21 09:34 . 2008-06-21 09:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 09:34 . 2008-06-21 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 11:25 . 2008-06-19 11:25 1,293,606 --a------ C:\fm.jpg
2008-06-18 13:52 . 2008-06-18 13:52 56,268 --a------ C:\mariocat3.jpg
2008-06-18 13:52 . 2008-06-18 13:52 34,679 --a------ C:\mariocat2.jpg
2008-06-18 12:05 . 2008-06-18 12:05 19,786 --a------ C:\catmario.jpg
2008-06-18 09:40 . 2008-06-18 09:40 19,738 --a------ C:\mariocat.jpg
2008-06-17 23:06 . 2008-06-17 23:06 4,136 --a------ C:\default.jpg
2008-06-06 06:23 . 2008-06-06 06:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-30 09:27 . 2008-05-30 09:27 502,340 --a------ C:\Jennifer2006.jpg
2008-05-30 09:21 . 2008-05-30 09:21 451,722 --a------ C:\1827858-R1-034-15A.jpg
2008-05-30 09:21 . 2008-05-30 09:21 327,721 --a------ C:\1827858-R1-002-00A.jpg
2008-05-30 09:19 . 2008-05-30 09:19 565,027 --a------ C:\1725718-R1-024-10A.jpg
2008-05-30 09:19 . 2008-05-30 09:19 401,278 --a------ C:\1725717-R1-026-11A.jpg
2008-05-30 09:18 . 2008-05-30 09:18 409,510 --a------ C:\1725717-R1-026-11A (2).jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 13:49 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVG7
2008-06-21 14:45 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-21 14:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 07:36 --------- d-----w C:\Program Files\PokerStars
.

((((((((((((((((((((((((((((( [email protected]_17.35.17.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 22:29:14 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-23 13:19:24 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-27 02:10 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 14:45 53248]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 17:56 188416]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28 684032]
"!AVG Anti-Spyware"="C:\ASW\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 08:33 579584]
"CTFMon"="C:\kl\ctfmon.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-15 00:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-09 16:24:46 113664]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-08-27 02:09:43 36953]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 04:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 00:07:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 08:58:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-23 9:01:05
ComboFix-quarantined-files.txt 2008-06-23 14:00:02
ComboFix2.txt 2008-06-22 22:35:33

Pre-Run: 44,004,446,208 bytes free
Post-Run: 43,977,822,208 bytes free

177 --- E O F --- 2007-11-15 09:05:13



2. NEW HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:06 AM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ASW\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\ASW\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\ASW\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTFMon] C:\kl\ctfmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\ASW\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7696 bytes


3. OTMoveit completed
OTMoveitlog

< C:\Program Files\??mbols >
File/Folder C:\Program Files\??mbols not found.
< C:\Program Files\a?sembly >
File/Folder C:\Program Files\a?sembly not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06232008_090335

4. Updated Java to: Java Runtime Environment (JRE) 6 Update 6
& deleted Java se v1.42_03



The computer has been running excellent. There are no more fake looking windows error screen (full screen error) There are no more hijacks of the background with spyware alerts. The appearance and screensaver tabs have returned to the properties right click. There have been no more IE pop ups. There have been no more "script error/switch to" warnings from IE. The "Bluescreensaver from freeware sysinternals has not come up.

The speed of the system seems greatly improved. On startup, Firefox will start up within 15-20 seconds of getting the desktop. Shutdown/restart happens within 30 seconds of the key press....this was taking sometimes several minutes to shutdown/restart. Everything seems to populate faster. I don't hear the hard drive running when I'm not doing anything.

The only thing I still see, is the program "Antivirus XP 2008" is still on the desktop, and this is something I did not install. The fake icon in the tray is gone, but the program is still on the desktop, and shows up in the add/remove programs. (I had tried to remove it prior to starting your instructions, and it would not remove).....I didn't want to even touch it, anywhere without your input.

OH, and those files on the C:\ the jennifer.jpg & Mariocat files were saved by us....however I do not recognize those numbered .jpg's....??? But I wouldn't put it past a certain member of the family to have saved and deleted something.

I do believe I owe you a song and dance at your (next) wedding, good sir. Thank you so very much for spending some time with me on this.

Let me know how things look to you, and what steps are next.

and, thank you once again, BHowett!!!!

**EDIT** Should I re-enable the tea-timer in spybot??

Edited by timbo428, 23 June 2008 - 09:05 AM.

  • 0

Advertisements


#11
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi timbo428,


The only thing I still see, is the program "Antivirus XP 2008" is still on the desktop, and this is something I did not install. The fake icon in the tray is gone, but the program is still on the desktop, and shows up in the add/remove programs. (I had tried to remove it prior to starting your instructions, and it would not remove)


Your logs are looking pretty good, I’m not seeing any indication of Antivirus XP 2008 in your logs at this point. See if you can uninstall it through add or remove programs.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Antivirus XP 2008

If that doesn’t work we can delete it manually. From your desk top Right Click on the icon, go to Properties and under the General tab, copy and paste the Location file path in your next reply.

===============================================

uninstall list

Please make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

===============================================

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
===============================================


Needed in your next reply:

Uninstall list
Kaspersky WebScanner results
New HijackThis Log

And as always let me know how your system is running, and if you have any problems or questions. :)
  • 0

#12
timbo428

timbo428

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
BHowett, I don't know what I'd be doing without you....
Steps completed:

1. Antivirus XP 2008 seems to have been removed successfully with add/remove (this failed previously) I deleted in add/remove and deleted the icon on the desktop.
(Note: The "Freeware Sysinternals Blue screensaver" has not appeared either)

2. HijackThis uninstall list completed
(there looks like so much crud on this computer I need to remove)


ABBYY FineReader 5.0 Sprint
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0.1
AIM 6
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Apple Mobile Device Support
Apple Software Update
AVG 7.5
AVG Anti-Spyware 7.5
Bonjour
Broadcom Management Programs
CCHelp
CCScore
CR2
DA920EN
EarthLink Setup Files
Easy CD Creator 5 Basic
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSvpaht
ESSvpot
Get High Speed Internet!
HijackThis 2.0.2
HLPCCTR
HLPIndex
HLPSFO
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
hp deskjet 3320 series (Remove only)
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics Driver
InterActual Player
Internet Explorer Default Page
IrfanView (remove only)
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java™ 6 Update 6
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
MegaCam
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (2.0.0.14)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Panda ActiveScan 2.0
PCDLNCH
Personal Ancestral File 5
PokerStars
PowerDVD 5.1
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SFR
SFR2
Shockwave
SimCity 4 Deluxe
Spybot - Search & Destroy
SRS Audio Sandbox
Type Fonts and Sound Clips-Wave
upapp
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VCAMCEN
Viewpoint Media Player
VPRINTOL
Wal-Mart Digital Photo Manager
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Load Simulator 9 Series
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Office 12


3. ATF Cleaner downloaded and completed as instructed


4. Kaspersky Scan log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 23, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 23, 2008 13:48:15
Records in database: 880580
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 68197
Threat name: 5
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:20:17


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080622141543\backup\DOCUME~1\Mike\LOCALS~1\Temp\.tt1ED.tmp Infected: Trojan.Win32.Pakes.czg 1
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-24b9ea90.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-55a2985c.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Mike\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\QooBox\Quarantine\C\Program Files\ASEMBL~1\Š°ti2evxx.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gs 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0003439.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0003526.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 3

The selected area was scanned.


5. New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:56 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ASW\guard.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\ASW\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\ASW\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTFMon] C:\kl\ctfmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\ASW\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7647 bytes


Things seem as before, working great. No pop ups/false messages/unknown programs showing up. The scans today said there were infected/suspicious, so I guess I am a bit premature saying "all better"....but there is nothing presenting itself in operation of the computer.

Only question: Should I re-enable tea-timer in spybot?

Most importantly, thank you for your time spent, BHowett. The scanning and such I was doing previously was having little to no effect....things certainly wouldn't be getting any better. How do the scans look? I am the proverbial blinking cursor....awaiting command.

I really cannot say it enough, THANK YOU BHowett!

-Timbo428
  • 0

#13
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi timbo,

Looking good but we have just a little clean up to do still, most of what was found was in quarantine or system restore, and we are going to clean them out next. Also when you complete this set of instructions you will be clean, so when you’re finished you can re-enable tea-timer.

OTMoveIt2 by OldTimer


  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-24b9ea90.zip 
    C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-55a2985c.zip 
    C:\Documents and Settings\Mike\Desktop\SmitfraudFix
    C:\Deckard
    Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

===============================================

ComboFix Removal
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

===============================================

OTCleanIt



Download OTCleanit
Save it to your Desktop.

  • Double-click on OTCleanIt.exe to run
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You may be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

===============================================

Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


===============================================

This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any problems you still have. I know you have some of the listed items so just choose what you need. I just like to post them incase you ever need them or want to change them.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Posted Image 1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

Posted Image 2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

Posted Image 3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

Posted Image 4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

Posted Image 5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

Posted Image 6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

Posted Image 7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

Posted Image 8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

Posted Image 9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

Posted Image 10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!
  • 0

#14
timbo428

timbo428

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
BHowett, thank you so much for your help. Even though you didn't ask, I am posting a HJT log from today.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:21 AM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\ASW\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ASW\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\ASW\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTFMon] C:\kl\ctfmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\ASW\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7660 bytes


I hope that everything looks okay. I really didn't want to delete those programs in case I ever need them again, but thought I'd just follow your instructions...everything was completed. I guess I can get them again should I ever need them.

Computer seems like new. Nothing to report!!...not a thing! :) I was told to give you a thanks from my lady, as well. Thanks BHowett. I don't know how this rated on the infection scale... but with your help, all seems well.

-Timbo428
  • 0

#15
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi timbo428,


I hope that everything looks okay. I really didn't want to delete those programs in case I ever need them again, but thought I'd just follow your instructions...everything was completed. I guess I can get them again should I ever need them.

Computer seems like new. Nothing to report!!...not a thing! I was told to give you a thanks from my lady, as well. Thanks BHowett. I don't know how this rated on the infection scale... but with your help, all seems well.



Everything looks good :) . The reason we have you remove the programs is because they are very powerful. You have only seen a fraction of what they can do, and they should only be used under the supervision of a trained helper, it wouldn’t take but one or two mistakes that could leave you system completely useless :) . If you ever need help again just come on back to Geeks to Go and we will get it straight.

Also I would like to say you’re welcome, and be sure to relay that to your lady as well. I’m glad I could help….. Have a look around the site, and check out all the other forums. There are lots of good people, and information here


I do believe I owe you a song and dance at your (next) wedding, good sir.



I don’t foresee there being a next wedding, the wife’s not having that :) . Maybe the son’s wedding?

Anyway it was a pleasure working with you, be safe and see you around :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP