Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Ghosts in the Machine

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Ghosts in the Machine

Unread postby Duece » November 10th, 2007, 4:03 am

Hello.. I truly admire the work you and your team does. I had no idea swatting bugs was this involved, nor that a group like yours exits..but here I am.....My computer has these symptoms.....1. I can't get rid of this false security alert popping up from the mouseover that only sends me to advertising sights or worse, invades my screen with pop-ups if I do nothing.....2. My background for my default desktop is tainted with warning messages about privacy invasions and who knows what else has been corrupted that I don't see....I have cured many maladies over the past week but I still need more help.....I resolved the disappearing control panel issue, removed a bunch of unecessary software, I moving much faster and I currently run trend micro security pro antivirus/firewall. I won't be satisfied until all the bugs are gone for good! Here is my HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:12 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\vvgeowbv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\BOSS\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Voice Soft - {C222CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\sendmail.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Aida] "C:\DOCUME~1\LOCALS~1\MYDOCU~1\YSTEM3~1\spool32.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Aida] "C:\DOCUME~1\LOCALS~1\MYDOCU~1\YSTEM3~1\spool32.exe" -vt yazb (User 'Default user')
O4 - S-1-5-19 Startup: .protected (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: .protected (User 'SYSTEM')
O4 - .DEFAULT Startup: .protected (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,684 - https://tesp.isac.org/TruePassSampleToo ... et-epf.cab
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/ ... /ct5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testge ... nstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3929133187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3929121625
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/Pe ... lAsst2.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\skuns.dat
O21 - SSODL: MailExport - {C222CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\sendmail.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 11091 bytes
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am
Advertisement
Register to Remove

Unread postby km2357 » November 10th, 2007, 7:03 pm

Hello and welcome to The Malware Removal Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

Since I am still in training, I have to let experts check the content of my fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Unread postby Duece » November 10th, 2007, 8:10 pm

Thank you. I will await your instructions. Just a quick update, I may have spoken to soon. My original user account had administrative priveledges but now it is gone again. The control panel has mysteriously disappeared. However, I was able to backdoor the issue by opening in safe mode and establishing a new user account. Although this is just a temporary remedy, I would like to return my computer to normal. Thanks again.
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Unread postby Duece » November 10th, 2007, 10:18 pm

HERE IS MY UNINSTALL LIST:

Adobe Flash Player ActiveX
Adobe Reader 7.0.9
AT&T Yahoo! Applications
Broadcom Advanced Control Suite
Conexant SmartHSFi V92 56K DF PCI Modem
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
Form Fill (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp instant support
HP Photo and Imaging 1.0 - PSC 2000 Series
HP Photo and Imaging 1.0 - PSC 2000 Series
HP Photo and Imaging 1.0 - PSC 2000 Series Drivers
hp psc 2100 series
Intel(R) Extreme Graphics Driver
Lexmark 7300 Series
Map Button (Windows Live Toolbar)
Messageware Base Component
Messageware Plus Pack Compress Attachments
Messageware Plus Pack English Dictionary
Messageware Plus Pack Spell Check Component
Messageware Plus Pack Thesaurus
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886905)
Microsoft .NET Framework 2.0
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Web Publishing Wizard 1.52
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
OneCare Advisor (Windows Live Toolbar)
Paint Shop Pro 7
Popup Blocker (Windows Live Toolbar)
PowerDVD
Presto! Forms 3.50.01
Presto! PageManager 7.12.02
Print to Fax
QuickTime
Readiris 7.5
SBC Self Support Tool
SBC Yahoo! DSL Home Networking Installer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Smart Menus (Windows Live Toolbar)
TaxACT 2003
TaxACT 2004
TaxACT Illinois 2003
TaxACT Illinois 2004
Trend Micro Internet Security Pro
Trend Micro Internet Security Pro
Trend Micro Remote File Lock
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Media Player
Weather Services
Windows Desktop Search
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine

Unread postby km2357 » November 13th, 2007, 3:42 pm

Sorry for the delay.

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by Infostealer.Banker.C
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.


If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Ghosts in the Machine

Unread postby Duece » November 13th, 2007, 8:39 pm

WOW! Thank you for your insight albiet disheartening. Nonetheless, I have decided to push forward. I have learned a lot this past week by reviewing the other forum issues and whacking bugs has become fun for me. The situation with the computer is that my partner used it in the past to pay her bills online, but she has not done that for some time and she now has her own laptop for those transactions. I am thinking from what is left over (Money Manager) we can delete completely and make necessary preventive measures to protect the system in the future. However, I use it primarily as an educational tool and job searching. Thus I would like to whack some more bugs and really lock down this system as much as possible. The link rates this as a low level threat, but I trust your judgement more. Since my last post, I must confess, I did commit the cardinal sin of making some adjustments. I just could not take that false security virus anymore. I read some of the archived posts and downloaded spybot, smitfraud.fix, Java, avg anti-virus, and a-squared. Since they were scanning tools I thought it would do no harm to kill some more bugs in the meantime. I estimate about 400 threats, cookies, trojans, worms, etc. I have eliminated since, also with the help of my Trend-micro scan. More importantly, I killed the smitfraud virus, got my desktop and administrative privelges back by using the process of smitfraudfix and avg antivirus, following the intructions on other posts very carefully. It worked! My system was singing like new money. But then when I downloaded spyblaster, all $%#* broke lose. Now I can only use safe mode/network connections to access the web efficiently, when I reboot under normal, the startup is sooo slow. I thought it was Trend-micro, so I tried to uninstall then re-install but I got the error "windows installer not working". So here we are, I can use your help to move to the next level. I need my startup to just "startup" and move fluently. As far as programs to eliminate, there aren't that many I am affectionate with so feel free to advise. The following posts are my updated Hjack logs and smitfraudfix.exe. I anxiously await your response.
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine - HiJack log

Unread postby Duece » November 13th, 2007, 8:46 pm

Adobe Flash Player ActiveX
Adobe Reader 7.0.9
a-squared Free 3.0
AT&T Yahoo! Applications
Broadcom Advanced Control Suite
Conexant SmartHSFi V92 56K DF PCI Modem
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
Form Fill (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp instant support
HP Photo and Imaging 1.0 - PSC 2000 Series
HP Photo and Imaging 1.0 - PSC 2000 Series Drivers
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 3
Lexmark 7300 Series
Map Button (Windows Live Toolbar)
Messageware Base Component
Messageware Plus Pack Compress Attachments
Messageware Plus Pack English Dictionary
Messageware Plus Pack Spell Check Component
Messageware Plus Pack Thesaurus
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886905)
Microsoft .NET Framework 2.0
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Web Publishing Wizard 1.52
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
OneCare Advisor (Windows Live Toolbar)
Paint Shop Pro 7
Popup Blocker (Windows Live Toolbar)
PowerDVD
Presto! Forms 3.50.01
Presto! PageManager 7.12.02
Print to Fax
QuickTime
Readiris 7.5
SBC Self Support Tool
SBC Yahoo! DSL Home Networking Installer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Smart Menus (Windows Live Toolbar)
Spybot - Search & Destroy
TaxACT 2003
TaxACT 2004
TaxACT Illinois 2003
TaxACT Illinois 2004
Trend Micro Internet Security Pro
Trend Micro Remote File Lock
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Media Player
Windows Desktop Search
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

HERE IS THE SCAN SYSTEM LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:11 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\BOSS\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Voice Soft - {C222CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\sendmail.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mskvtns.dll (file missing)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,684 - https://tesp.isac.org/TruePassSampleToo ... et-epf.cab
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/ ... /ct5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testge ... nstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3929133187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3929121625
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/Pe ... lAsst2.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O21 - SSODL: MailExport - {C222CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\sendmail.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 10208 bytes
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine - Smitfraudfix log

Unread postby Duece » November 13th, 2007, 8:49 pm

SmitFraudFix v2.253

Scan done at 18:05:28.37, Tue 11/13/2007
Run from C:\Documents and Settings\BOSS\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 http://www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\BOSS


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\BOSS\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BOSS\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{29A3919D-0D68-44DB-BA3B-C7E1C2EFFED6}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{29A3919D-0D68-44DB-BA3B-C7E1C2EFFED6}: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine

Unread postby Duece » November 14th, 2007, 3:02 pm

:bigsmurf: Back in Business!!! I have got my normal mode back and I am flying at light speed. Firstly, sorry about bumping my post, but I felt I needed to give you updated information so that you are not researching topics that I have resolved. I started to look into Spybot more deeply and discovered a few features in their advanced tools section. System Internals showed me where I had missing files that still had registry markers and pathways that led to dead ends. I cleaned those out, then under System Startups, it showed me where programs were running at the start that I no longer had or almost never use. So I kept the ones that I knew I needed, those that were common, and essential windows stuff...waived anything that said "trojan" or those that had no information at all....rebooted....then voila....here I am. I may have gotten lucky but when I delete, I am careful to save my registry in case I blow something important. However, I am not out of the woods yet. I ran a Kaspersky scan this time since it detected 27 viruses 782 infected objects and 10 suspicious objects....I hope you hadn't eaten anything, this report is pretty sad :cry: I will run a deep scan with my Trend-Micro and send you a newer Kaspersky report if you need it. Please advise.
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine

Unread postby km2357 » November 14th, 2007, 4:53 pm

Hi Duece.

From now, please run and post any future HJT logs in Normal Mode and not Safe Mode. Thanks. :)

Also, do not make any more attempts to remove or do anything else to your computer unless directed to do so by me. If used incorrectly, many of the tools we use could result in an un-bootable computer - especially with this infection.


Step # 1: Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Step # 2 Post Logs

In your next post/reply, I'd like to see the following:

    1. ComboFix Log (C:\ComboFix.txt)
    2. A fresh HijackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.[/quote]
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Ghosts in the Machine - Combo/HJk logs

Unread postby Duece » November 14th, 2007, 9:39 pm

:cheers: Big difference....who makes this stuff???

ComboFix 07-11-08.1 - Julie L. Burnett 2007-11-14 18:50:14.1 - NTFSx86
Running from: C:\Documents and Settings\Julie L. Burnett\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\as.txt
C:\Autorun.inf
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Screensavers0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\starware_toolbar_icon.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\Related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\Travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\images\walertXP.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\ProductMessagingConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\TimerManagerConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Screensavers0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\starware_toolbar_icon.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\Related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\Travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\images\walertXP.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\ProductMessagingConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\TimerManagerConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1.\Ultimate Defender
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1.\Ultimate Defender\logs\1193979685.log
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1.\Ultimate Defender\logs\1193985772.log
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\microsoft\internet explorer\quick launch\Start UltimateFixer 2007.lnk
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\BrowserSearch\BrowserSearch.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\BrowserSearch\BrowserSearch.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Configurator\Configurator.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Configurator\Configurator.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ErrorSearch\ErrorSearchOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Games\GamesOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Games\GamesOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Games\images\active\Games0.bmp
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Layouts\ToolbarLayout.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Layouts\ToolbarLayout.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Manager\ManagerOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Movies\images\active\Movies0.bmp
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Movies\MoviesOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Movies\MoviesOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Reference\ReferenceOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Reference\ReferenceOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\RelatedSearch\RelatedSearchOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Screensavers\ScreensaversOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Screensavers\ScreensaversOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Toolbar\TBProductsOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Toolbar\TBProductsOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\TravelSearch\TravelSearchOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\TravelSearch\TravelSearchOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Weather\AlertArchive.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Weather\WeatherOptions.xml
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Starware316\Weather\WeatherOptions.xml.backup
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Ultimate Defender\logs\1193979685.log
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Ultimate Defender\logs\1193985772.log
C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\WinTouch\wintouch.cfg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\Julie L. Burnett\Application Data\CROSOF~1
C:\Documents and Settings\Julie L. Burnett\Application Data\DOBE~1
C:\Documents and Settings\Julie L. Burnett\Application Data\FNTS~1
C:\Documents and Settings\Julie L. Burnett\Application Data\microsoft\internet explorer\quick launch\Start UltimateFixer 2007.lnk
C:\Documents and Settings\Julie L. Burnett\Application Data\PPPATC~1
C:\Documents and Settings\Julie L. Burnett\Application Data\SEMBLY~1
C:\Documents and Settings\Julie L. Burnett\Application Data\SMBOLS~1
C:\Documents and Settings\Julie L. Burnett\Application Data\SSTEM~1
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Configurator\Configurator.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Configurator\Configurator.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Games\GamesOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Games\GamesOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Games\images\active\Games0.bmp
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Manager\ManagerOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Movies\images\active\Movies0.bmp
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Movies\MoviesOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Reference\ReferenceOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Weather\AlertArchive.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Weather\WeatherOptions.xml
C:\Documents and Settings\Julie L. Burnett\Application Data\Starware316\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Julie L. Burnett\Application Data\Ultimate Defender\logs\1193979685.log
C:\Documents and Settings\Julie L. Burnett\Application Data\Ultimate Defender\logs\1193985772.log
C:\Documents and Settings\Julie L. Burnett\Application Data\WinTouch
C:\Documents and Settings\Julie L. Burnett\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Julie L. Burnett\My Documents\CROSOF~1
C:\Documents and Settings\Julie L. Burnett\My Documents\CURITY~1
C:\Documents and Settings\Julie L. Burnett\My Documents\DOBE~1
C:\Documents and Settings\Julie L. Burnett\My Documents\FNTS~1
C:\Documents and Settings\Julie L. Burnett\My Documents\MANTEC~1
C:\Documents and Settings\Julie L. Burnett\My Documents\SSEMBL~1
C:\Documents and Settings\Julie L. Burnett\My Documents\SSTEM~1
C:\Documents and Settings\Julie L. Burnett\My Documents\STEM32~1
C:\Documents and Settings\LocalService\My Documents\YSTEM3~1
C:\Documents and Settings\LocalService\My Documents\YSTEM3~1\?ystem32\
C:\Documents and Settings\LocalService\My Documents\YSTEM3~1\spool32.exe
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\CompWiz.xml
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\dobe~1
C:\Program Files\ecurit~1
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive7.dll
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\hydramedupd.exe
C:\Program Files\ISM2\ISMPack5.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\mbols~1
C:\Program Files\racle~1
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\sks~1
C:\Program Files\sstem3~1
C:\Program Files\Temporary
C:\Program Files\wnsxs~1
C:\Program Files\ymante~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\tn3
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\b147.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\fnts~1
C:\WINDOWS\hook33.txt
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie-hook.txt
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drvhofr.dll
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\fkmdvbtn
C:\WINDOWS\system32\fkmdvbtn\bg1.gif
C:\WINDOWS\system32\fkmdvbtn\bgtop.gif
C:\WINDOWS\system32\fkmdvbtn\bottom1.gif
C:\WINDOWS\system32\fkmdvbtn\essentials.gif
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn1.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn2.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn3.exe
C:\WINDOWS\system32\fkmdvbtn\icon1.ico
C:\WINDOWS\system32\fkmdvbtn\install1.gif
C:\WINDOWS\system32\fkmdvbtn\left1.gif
C:\WINDOWS\system32\fkmdvbtn\li.gif
C:\WINDOWS\system32\fkmdvbtn\logo.gif
C:\WINDOWS\system32\fkmdvbtn\main.htm
C:\WINDOWS\system32\fkmdvbtn\mainframe.htm
C:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
C:\WINDOWS\system32\fkmdvbtn\right1.gif
C:\WINDOWS\system32\fkmdvbtn\s1.htm
C:\WINDOWS\system32\fkmdvbtn\s2.htm
C:\WINDOWS\system32\fkmdvbtn\s3.htm
C:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
C:\WINDOWS\system32\fkmdvbtn\top1.gif
C:\WINDOWS\system32\fkmdvbtn\top2.gif
C:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
C:\WINDOWS\system32\fkmdvbtn\turnon1.gif
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\m2
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\SYSTEM32\nqtss.bak1
C:\WINDOWS\SYSTEM32\nqtss.bak2
C:\WINDOWS\SYSTEM32\nqtss.ini
C:\WINDOWS\system32\o1
C:\WINDOWS\system32\owrnmvbk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RunOnce3.t__
C:\WINDOWS\system32\RunOnce3.tm_
C:\WINDOWS\system32\shdocvs.dll
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\v4
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_XLAVBA8
-------\runtime
-------\xlavba8


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-14 18:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 15:38 38,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\neokdss.sys
2007-11-14 09:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-14 09:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-11-13 18:04 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-13 18:04 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-13 18:04 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-13 18:04 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-12 20:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2007-11-12 20:33 <DIR> d-------- C:\WINDOWS\Sun
2007-11-12 18:55 3,056 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-12 18:51 289,280 --a------ C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-12 18:51 55,808 --a------ C:\WINDOWS\SYSTEM32\spoolv.exe
2007-11-12 18:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\Log
2007-11-12 11:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-11-12 08:51 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-11-12 08:06 <DIR> d-------- C:\Program Files\Java
2007-11-12 08:05 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-12 07:13 16,384 --a------ C:\WINDOWS\xlaherx.exe
2007-11-11 01:46 <DIR> d-------- C:\Program Files\a-squared Free
2007-11-10 17:52 156,336 --a------ C:\WINDOWS\dracee.exe
2007-11-09 19:47 156,336 --a------ C:\WINDOWS\draste.exe
2007-11-09 17:20 153 --a------ C:\WINDOWS\SYSTEM32\msftedswc.dll
2007-11-09 15:20 12,825 --a------ C:\WINDOWS\SYSTEM32\msdtexch.dll
2007-11-09 10:53 <DIR> d-------- C:\Program Files\ACW
2007-11-09 10:35 <DIR> d-------- C:\WINDOWS\kdefense
2007-11-09 10:35 849,920 --a------ C:\WINDOWS\SYSTEM32\kdfinj.dll
2007-11-09 10:35 726,568 --a------ C:\WINDOWS\SYSTEM32\kdfmgr.exe
2007-11-09 10:35 192,512 --a------ C:\WINDOWS\SYSTEM32\kdfvmgr.exe
2007-11-09 10:35 77,824 --a------ C:\WINDOWS\SYSTEM32\kdfapi.dll
2007-11-09 10:35 53,248 --a------ C:\WINDOWS\SYSTEM32\Kdfhok.dll
2007-11-09 10:01 <DIR> d-------- C:\WINDOWS\LocalSSL
2007-11-09 09:57 138,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-11-09 09:57 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2007-11-09 09:57 52,368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2007-11-08 17:40 <DIR> d-------- C:\Program Files\Gvqnjbaj
2007-11-08 17:39 <DIR> d-------- C:\Documents and Settings\BOSS\Application Data\Yahoo!
2007-11-08 00:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 22:30 156,336 --a------ C:\WINDOWS\drosmok.exe
2007-11-07 22:25 <DIR> d-------- C:\ce1f38489d672d29afffcbf2900fb7
2007-11-04 09:48 <DIR> d-------- C:\Documents and Settings\Julie L. Burnett\Application Data\Windows Desktop Search
2007-11-04 09:48 <DIR> d-------- C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Windows Desktop Search
2007-11-04 09:40 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-11-04 09:35 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-04 09:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-11-04 09:30 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-11-03 18:34 <DIR> d-------- C:\c9504ee262b6c366af16
2007-11-02 20:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-11-02 14:29 <DIR> d-------- C:\{00004676-0000-0000-FD5B-BAA2F545B743}
2007-11-02 14:29 <DIR> d-------- C:\{00004528-0000-0000-C9A2-52D0BBE4EFE2}
2007-11-02 14:29 <DIR> d-------- C:\{00004495-0000-0000-151A-8F29123B189E}
2007-11-02 12:59 <DIR> d-------- C:\{8001B643-0000-0000-893B-01B02CF26B97}
2007-11-02 10:28 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-02 04:17 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-11-02 04:17 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-11-02 04:17 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-11-02 04:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-02 02:21 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-02 00:56 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-11-02 00:56 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-11-02 00:56 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-11-02 00:55 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-11-02 00:55 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-11-02 00:55 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-11-02 00:55 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-11-02 00:55 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-11-02 00:55 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-11-02 00:19 <DIR> d-------- C:\Security
2007-11-01 20:26 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-01 20:26 <DIR> d-------- C:\WINDOWS\peernet
2007-11-01 20:22 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-01 20:08 <DIR> d-------- C:\WINDOWS\EHome
2007-11-01 16:48 11,776 --a------ C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-11-01 16:48 4,569 --a------ C:\WINDOWS\SYSTEM32\secupd.dat
2007-11-01 14:03 <DIR> d-------- C:\Program Files\Larlpqyh
2007-11-01 13:25 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-11-01 13:25 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2007-11-01 13:25 40,960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\evtgprov.dll
2007-11-01 13:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-01 12:08 402,440 --a------ C:\sysalna.exe
2007-11-01 11:44 <DIR> d-------- C:\Program Files\Symantec
2007-11-01 11:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-01 11:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-11-01 11:31 77,824 --a------ C:\MicroSofts.pif
2007-11-01 11:26 <DIR> dr-h----- C:\Documents and Settings\Julie L. Burnett\Application Data\yahoo!
2007-11-01 11:26 <DIR> dr-h----- C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\yahoo!
2007-11-01 10:44 30,720 --a------ C:\WINDOWS\SYSTEM32\gooels.dll
2007-11-01 09:28 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2007-11-01 09:10 0 --a------ C:\WINDOWS\SYSTEM32\mscorews.dll
2007-11-01 09:06 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-01 09:06 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-11-01 09:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-11-01 09:03 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-11-01 09:03 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-11-01 09:03 8,192 --a------ C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-11-01 09:03 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-11-01 09:00 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-01 08:59 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-11-01 08:59 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-11-01 08:59 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 06:42 --------- d-----w C:\Program Files\Lx_cats
2007-11-12 18:56 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-11-12 16:02 --------- d-----w C:\Program Files\SBC Yahoo!
2007-11-12 16:02 --------- d-----w C:\Program Files\SBC Self Support Tool
2007-11-12 16:02 --------- d-----w C:\Program Files\ReadIris
2007-11-12 16:02 --------- d-----w C:\Program Files\QuickTime
2007-11-12 16:01 --------- d-----w C:\Program Files\MSN Messenger
2007-11-12 16:01 --------- d-----w C:\Program Files\Modem Helper
2007-11-12 16:01 --------- d-----w C:\Program Files\Microsoft Works
2007-11-12 16:01 --------- d-----w C:\Program Files\Microsoft Streets & Trips
2007-11-12 16:01 --------- d-----w C:\Program Files\Microsoft Picture It! 7
2007-11-12 15:59 --------- d-----w C:\Program Files\Lexmark 7300 Series
2007-11-12 15:57 --------- d-----w C:\Program Files\Digital Line Detect
2007-11-12 15:56 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-12 15:54 --------- d-----w C:\Program Files\2Wire
2007-11-11 01:18 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-11-09 00:43 --------- d-----w C:\Program Files\Real
2007-11-09 00:43 --------- d-----w C:\Program Files\Common Files\Real
2007-11-09 00:28 --------- d-----w C:\Program Files\The Print Shop 20
2007-11-08 23:33 --------- d-----w C:\Program Files\Web Publish
2007-11-04 00:58 --------- d-----w C:\Documents and Settings\Guest\Application Data\Yahoo!
2007-11-01 17:26 --------- d-----w C:\Program Files\Yahoo!
2007-11-01 01:56 --------- d-----w C:\Documents and Settings\Julie L. Burnett\Application Data\AVG7
2007-11-01 01:56 --------- d-----w C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\AVG7
2007-11-01 01:56 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2007-11-01 00:19 --------- d-----w C:\Program Files\Viewpoint
2007-10-11 01:51 --------- d-----w C:\Program Files\MySpace
2007-10-09 04:48 --------- d--h--w C:\Documents and Settings\Julie L. Burnett\Application Data\Move Networks
2007-10-09 04:48 --------- d--h--w C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\Move Networks
2007-09-18 08:31 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-18 08:31 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-18 08:31 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-18 08:31 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-18 08:31 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 21:34 3,584,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2006-09-01 01:19 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-08-04 07:56 452,608 ----a-r C:\Documents and Settings\Guest\Application Data\ntos.exe
2003-11-05 12:38 55,808 ----a-w C:\Documents and Settings\Julie L. Burnett\Application Data\GDIPFONTCACHEV1.DAT
2003-11-05 12:38 55,808 ----a-w C:\DOCUME~1\JULIEL~1.BUR\APPLIC~1\GDIPFONTCACHEV1.DAT
2002-08-29 11:00 273,920 ----a-w C:\WINDOWS\Media\SendMail.dll
2007-06-23 07:16:26 8,675 --sha-w C:\WINDOWS\SYSTEM32\ospcont.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C222CF73-124F-3562-44AC-E685D962C63C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DABCE839-3831-3818-AF3A-3837BCD324D2}]
C:\WINDOWS\system32\mskvtns.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2007-09-16 08:21 103760]

[HKEY_CLASSES_ROOT\CLSID\{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sr1exe"="C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" [2003-05-15 14:21]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-06-26 13:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 02:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingC4953"=cmd /c del "C:\Documents and Settings\BOSS\Local Settings\Temp\~DFD9B.tmp"
"SpybotDeletingC6542"=cmd /c del "C:\WINDOWS\pbsysie.dll"
"SpybotDeletingA7013"=command /c del "C:\Documents and Settings\BOSS\Local Settings\Temp\~DFD9B.tmp"
"SpybotDeletingA6499"=command /c del "C:\WINDOWS\pbsysie.dll"

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-01-03 22:59:00]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\System32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe,"

S3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOWS\system32\noskrnl.sys
S4 lxci_device;lxci_device;C:\WINDOWS\System32\lxcicoms.exe -service

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 19:23:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\ntos.exe 189440 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-11-14 19:28:54 - machine was rebooted
.
--- E O F ---
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine

Unread postby Duece » November 14th, 2007, 9:40 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:11 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\Julie L. Burnett\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: (no name) - {C222CF73-124F-3562-44AC-E685D962C63C} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mskvtns.dll (file missing)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4953] cmd /c del "C:\Documents and Settings\BOSS\Local Settings\Temp\~DFD9B.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6542] cmd /c del "C:\WINDOWS\pbsysie.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7013] command /c del "C:\Documents and Settings\BOSS\Local Settings\Temp\~DFD9B.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6499] command /c del "C:\WINDOWS\pbsysie.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://tesp.isac.org/TruePassSampleToo ... et-epf.cab
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/ ... /ct5_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testge ... nstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3929133187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3929121625
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/Pe ... lAsst2.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 9509 bytes
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine

Unread postby km2357 » November 15th, 2007, 4:40 pm

Step # 1 Upload Files


Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\DCEBoot.exe
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

C:\WINDOWS\SYSTEM32\ospcont.dat
C:\WINDOWS\SYSTEM32\Process.exe

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\DCEBoot.exe
Click Send.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

C:\WINDOWS\SYSTEM32\ospcont.dat
C:\WINDOWS\SYSTEM32\Process.exe

Please let me know the results.



Step # 2: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.



  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    
    C:\WINDOWS\SYSTEM32\spoolv.exe
    C:\WINDOWS\xlaherx.exe
    C:\WINDOWS\dracee.exe
    C:\WINDOWS\draste.exe
    C:\WINDOWS\SYSTEM32\msftedswc.dll
    C:\WINDOWS\SYSTEM32\msdtexch.dll
    C:\WINDOWS\SYSTEM32\kdfinj.dll
    C:\WINDOWS\SYSTEM32\kdfmgr.exe
    C:\WINDOWS\SYSTEM32\kdfvmgr.exe
    C:\WINDOWS\SYSTEM32\kdfapi.dll
    C:\WINDOWS\SYSTEM32\Kdfhok.dll
    C:\WINDOWS\drosmok.exe
    C:\sysalna.exe
    C:\MicroSofts.pif
    C:\WINDOWS\SYSTEM32\gooels.dll
    C:\WINDOWS\SYSTEM32\mscorews.dll
    C:\Documents and Settings\Guest\Application Data\ntos.exe
    C:\WINDOWS\system32\mskvtns.dll
    C:\WINDOWS\System32\vvgeowbv.exe
    
    Folder:: 
    
    C:\WINDOWS\kdefense
    C:\Program Files\Gvqnjbaj
    C:\ce1f38489d672d29afffcbf2900fb7
    C:\c9504ee262b6c366af16
    C:\{00004676-0000-0000-FD5B-BAA2F545B743}
    C:\{00004528-0000-0000-C9A2-52D0BBE4EFE2}
    C:\{00004495-0000-0000-151A-8F29123B189E}
    C:\{8001B643-0000-0000-893B-01B02CF26B97}
    C:\Program Files\Larlpqyh
    C:\Program Files\Free Offers from Freeze.com
    C:\WINDOWS\Media\
    
    Driver:: 
    
    noskrnl.sys
    
    DirLook::
    
    C:\Program Files\ACW
    C:\Security
    
    RootKit::
    
    C:\WINDOWS\system32\noskrnl.sys
    C:\WINDOWS\system32\ntos.exe
    C:\WINDOWS\system32\wsnpoem
    C:\WINDOWS\SYSTEM32\DRIVERS\neokdss.sys
    
    Registry:: 
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C222CF73-124F-3562-44AC-E685D962C63C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DABCE839-3831-3818-AF3A-3837BCD324D2}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoWindowsUpdate"=-
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,"


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step # 3 Post Logs

In your next post/reply, I'd like to see the following:

    1. Jotti/VirusTotal results
    2. ComboFix Log (C:\ComboFix.txt)
    3. A fresh HijackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Ghosts in the Machine

Unread postby Duece » November 15th, 2007, 5:39 pm

How do I post results from Jotti? Is there an option where I can create a log for its findings? Please advise
Duece
Regular Member
 
Posts: 26
Joined: November 10th, 2007, 3:44 am

Re: Ghosts in the Machine

Unread postby km2357 » November 15th, 2007, 6:17 pm

Just highlight everything in the "scanner results" section and then copy and paste it into your post here.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware