Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

logfile for trying to remove Smitfraud-C and spyaxe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

logfile for trying to remove Smitfraud-C and spyaxe

Unread postby masterofclocks » December 7th, 2005, 6:33 pm

Here is my logfile for trying to remove smitfraud-C and spyaxe, I contracted it a couple of days ago, and smitfraud-c cannot be removed by spybot, and spyaxe keeps popping back up.
Thanks for helping.


Logfile of HijackThis v1.99.1
Scan saved at 4:26:36 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Ian\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpC159.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm
Advertisement
Register to Remove

Unread postby Linkmaster » December 7th, 2005, 9:26 pm

Hi masterofclocks, Welcome to MalWare Removal !!

I am working on your log. As soon as a MR Staff Member reviews my fix, I will post it for you.
Thank you for being patient
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

no problem

Unread postby masterofclocks » December 7th, 2005, 10:07 pm

No problem, thank you very much.
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm

Unread postby Linkmaster » December 8th, 2005, 7:27 am

You may wish to print out a copy of these instructions to follow while you complete this procedure

Please create a folder on your C:\ drive for HijackThis and give it a name( example:HJT), move the HijackThis.exe to that folder. Run the program from that directory from now on. HijackThis creates backups, these are needed in case of any recovery issues, having its own folder will keep these backups

Go to Start, ControlPanel, Add/Remove Programs and uninstall the following : (if present)

MyWay
MyWaySA
MyWay SearchBar


I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download smitRem.exe© by noahdfear and save the file to your desktop.
Double- click it to extract it to it's own folder on the desktop.

Download and Install Ad-aware SE© by Lavasoft
NOTE: If you have a previous version of Ad-Aware installed, during the installation of the new version (1.06) you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
Close ALL windows except Ad-Aware SE.

Click on the world icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Close Adaware SE

Place a shortcut to Panda ActiveScan on your desktop

Download and Install Ewido Security Suite© by Ewido Networks
When installing, under "Additional Options" uncheck :

"Install background guard"
"Install scan via context menu"


Launch Ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put a check mark in the boxes, only next to these following items : (if present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpC159.tmp


Click Fix Checked

Run smitRem.exe
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, (usually Local Disk C: or partition where your operating system is installed)

Run Ad-aware SE
Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:

In the General window make sure the following are selected in green:

Under Safety:
Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

Under Definitions:
Prompt to update outdated definitions - set the number of days
Click on the ‘Scanning’ button on the left and select in green:

Under Driver, Folders & Files:
Scan Within Archives

Under Select drives & folders to scan:
Choose all hard drives

Under Memory & Registry:all green
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file

Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
Move deleted files to recycle bin

Under Logfile Detail Level:all green
include addtional object information
DESELECT - include negligible objects information
include environment information

Under Alternate Data Streams:
Don't log streams smaller than 0 bytes
Don't log ADS with the following names: CA_INOCULATEIT

Click the ‘Tweak’ button and select in green:

Under Scanning Engine:
Unload recognized processes during scanning
Scan registry for all users instead of current user only

Under Cleaning Engine:
Let Windows remove files in use at next reboot

Under Log Files:
Include basic Ad-aware SE settings in logfile
Include additional Ad-aware SE settings in logfile
Please do not check: Include Module list in logfile

Click on Proceed to save the settings.

Click Start

Choose Perform Full System Scan

DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click next and OK to remove

Close AdawareSE

Run Ewido Security Suite
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE:During some scans with ewido it is finding cases of false positives.
**See Below**

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

You will need to step through the process of cleaning files one-by-one.
If Ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close Ewido Security Suite.

Open Windows Explorer, locate and Delete the following folders in BOLD : (if present)

C:\Program Files\MyWaySA

Next go to Control Panel, Display, Desktop, Customize Desktop, Web, Uncheck Security Info if present

Reboot into Normal Mode

Run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan
Save the results

Reboot , run HijackThis and post a fresh HijackThis log, Ewido log,smitfiles.txt file and the Panda Active Scan results here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

i have run everything

Unread postby masterofclocks » December 9th, 2005, 4:21 am

Hello linkmaster,
I finally had a chance to run everything and it looks good for now. Panda did not come up with anything so there was no log report, and the rest are below. Thank you very much for helping me out. Is there anything I can do to prevent this from happening again?
Sincerely,
masterofclocks

Logfile of HijackThis v1.99.1
Scan saved at 2:17:55 AM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell4me.com/myway
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

-startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100

Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online

9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common

Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter -

{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program

Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} -

C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program

files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation -

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program

Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner -

C:\WINDOWS\System32\wltrysvc.exe





smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 12/08/2005
The current time is: 23:25:57.81

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1628 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:05:29 AM, 12/9/2005
+ Report-Checksum: 405ED331

+ Scan result:

C:\Program Files\HijackThis\backups\backup-20051208-210746-476.dll -> Downloader.Zlob.cf : Ignored
:mozilla.14:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\1zuejth1.Default User\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.323:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.325:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.345:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.346:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.347:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.366:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.389:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.390:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.392:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.393:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.394:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.396:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.397:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.398:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.401:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.402:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.403:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.423:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.455:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.456:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.457:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.458:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.466:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.467:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.468:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.469:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.470:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.471:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.474:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.475:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.476:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.481:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.541:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.542:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.555:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.566:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.587:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.588:C:\Documents and Settings\Ian\Application Data\Mozilla\Firefox\Profiles\o1zuzxwh.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Ian\Cookies\ian@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Ian\Cookies\ian@northwestairlines.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup


::Report End



Ciao
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm

hello again

Unread postby masterofclocks » December 9th, 2005, 4:33 am

Hello Linkmaster,
I just ran Spybot search and destroy after having run everything, and it still came up that smitfraud-c was still in my system and that it was still in my memory. It does not appear that anything is wrong and the popup is not there (at least not right now). Is this a bad sign, or is this just a minor problem.
Thanks
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm

Unread postby Linkmaster » December 9th, 2005, 8:05 am

Premature post before having Expert check BRB
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

sorry about that

Unread postby masterofclocks » December 9th, 2005, 9:27 pm

ok, sounds good
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm

Unread postby Linkmaster » December 9th, 2005, 10:45 pm

Lets do a couple of other things here :

Show Hidden Files :
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Empty any quarantined files in Spybot

Download and Install CCleaner© by CCleaner.com

SETUP
DO NOT USE THE ISSUES FEATURE!!!!
Open CCleaner
Options, Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours" (for cleaning malware files!)

Options, Settings: Check "Run CCleaner when system starts" (optional)
Options, Settings: Check "Add 'Run Cleaner' option to Recycle Bin context menu" (optional)

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Options>CustomFolders>Add Folder>Navigate to these folders (click on bold folder once and hit OK) :
(Depending on Operating System and/or Browser, some of the following folders may not be present)
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Windows\System32\config\systemprofile\cookies
* C:\Windows\System32\config\systemprofile\localsettings\Temp
* C:\Windows\System32\config\systemprofile\localsettings\Temporary Internet Files
* C:\Program Files\Firefox\Profiles\<user>\<num>\Cache
* C:\Program Files\Opera\Cache4
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp
* C:\Documents and Settings\<user>\Application Data\Firefox\Profiles\<user>\<num>\Cache
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK
In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders
Then click on Run Cleaner
Put check in box to not show message again.
It will automatically clean.

Close out CCleaner.

**Turn off System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check "Turn off System Restore"
Click Apply, then click OK and Reboot

**Turn ON System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check "Turn off System Restore"
Click Apply, then click OK and Reboot

How is your system running now ?? 8)
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

need more options

Unread postby masterofclocks » December 10th, 2005, 1:51 am

Hello Linkmaster,
I ran the Ccleaner, but smitfraud-c still showed up on spybot after i did the system restore reboot. What shall we do next?
sincerely,
masterofclocks
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm

Unread postby Linkmaster » December 10th, 2005, 10:55 am

Where exactly does Spybot say the file that is infected is located ??

OK here's what we do :

Download Silent Runners© by Andrew Aronoff
Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
Do you want to skip supplementary searches? click NO
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

more tests

Unread postby masterofclocks » December 10th, 2005, 7:40 pm

Hello Linkmaster,
When I run spybot, it comes up with Avenue A, Inc., DoubleClick, Hitbox, Mediaplex, Webtrends Live, and Smitfraud-C everytime. When I click fix selected problems, all problems are fixed except for Smitfraud-C which it says is running in memory and cannot be deleted. The user setting for it is:

Hkey_users\S-1-5-21-3274235765-2824831183-2081992148-1006\software
\Microsoft\Windows\CurrentVersion\InternetSettings\zonemap\Domains
\freespycaom.net\*!=W=4

And here is the silent runner:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"ccleaner" = ""C:\Program Files\CCleaner\ccleaner.exe" /AUTO" ["CCleaner.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe" [null data]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"PRONoMgrWired" = "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" ["Intel(R) Corporation"]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
"Dell Wireless Manager UI" = "C:\WINDOWS\system32\WLTRAY" ["Dell Inc"]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"mmtask" = "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" ["Musicmatch Inc."]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"MPSExe" = "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding" ["McAfee, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" ["McAfee Inc."]
"MSKDetectorExe" = "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup" ["McAfee, Inc."]
"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"Lexmark X5100 Series" = ""C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"" ["Lexmark International, Inc."]
"Creative WebCam Tray" = "C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" ["Creative Technology Ltd"]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}\(Default) = "McAfee AntiPhishing Filter" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [file not found]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Ian" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\Ian\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\palmOne\HOTSYNC.EXE" ["Palm, Inc."]
INFECTION WARNING! "PowerReg Scheduler.exe" [empty string]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]


Enabled Scheduled Tasks:
------------------------

"McAfee.com Scan for Viruses - My Computer (DJXM4281-Ian)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" ["McAfee, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\mclsp.dll ["McAfee, Inc."], 01 - 15, 31
%SystemRoot%\system32\mswsock.dll [MS], 16 - 18, 21 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 19 - 20


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{39FD89BF-D3F1-45B6-BB56-3582CCF489E1}\
"MenuText" = "McAfee AntiPhishing Filter"
"CLSIDExtension" = "{7DD73374-7187-4103-8F29-622AA25E7C40}"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" [file not found]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{B13B4423-2647-4CFC-A4B3-C7D56CB83487}\
"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423-2647-4cfc-A4B3-C7D56CB83487}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hello\PicasaCapture.dll" ["Picasa, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
Dell Wireless WLAN Tray Service, wltrysvc, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe" ["McAfee Corporation"]
McAfee SpamKiller Server, MskService, "C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe" ["McAfee Inc."]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
5200 Series Port\Driver = "lxbtlmpm.DLL" [file not found]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 54 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 101 seconds)
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm

Unread postby Linkmaster » December 11th, 2005, 1:58 pm

Hkey_users\S-1-5-21-3274235765-2824831183-2081992148-1006\software
\Microsoft\Windows\CurrentVersion\InternetSettings\zonemap\Domains
\freespycaom.net\*!=W=4


I am thinking this may be a False Positive from Spybot ! The Silent Runners log looks OK.
Stubborn little bugger !!

Download DelDomains© by WinHelp2002 and save it to your desktop
Right click on DelDomains.inf and select Install (no need to restart)
Note: Because this will remove all entries in both the Trusted Zone and the Restricted Zone, any program, tool, or settings that were previously used to set restrictions will need to be reset :
Examples: (if these are being used),
IE-SPYADS will have to be reinstalled
Spybot's "Immunize" feature is used, you will need to re-immunize
SpywareBlaster's "Enable all protection" feature will have to be re-enabled
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby masterofclocks » December 15th, 2005, 6:50 pm

Hello,
Sorry its taken me so long, i have been busy with finals. I cannot download deldomains.inf as the link just goes to a text page.
:( \
masterofclocks
masterofclocks
Active Member
 
Posts: 10
Joined: December 7th, 2005, 6:02 pm

Unread postby Linkmaster » December 15th, 2005, 9:28 pm

That's OK!! my son is doing the same !!

Hmmm I can get the download box, OK try this:

Right click on the link and "Save Target As" and put it in a file Then run it
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 104 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware