Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log! My Computer Is Being Invaded By Outerinfo! Help!


  • Please log in to reply
7 replies to this topic

#1 PnthrPride

PnthrPride

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 07 October 2007 - 08:32 PM

I'm getting multiple advertisements by OuterInfo and I need to know how to get rid of it!
Here is my log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:43 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PPPATC~1\ping.exe
C:\WINDOWS\s?stem32\mshta.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aim.com/today/aimtoday.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
O2 - BHO: (no name) - {1AF12F62-9387-9754-F34B-E92B589483BB} - C:\WINDOWS\system32\cxtobmc.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\PPPATC~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Dli] C:\WINDOWS\s?stem32\mshta.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...US_ZBzeb032YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?6248ce7115b44e90a528bc87903ed8d0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?6248ce7115b44e90a528bc87903ed8d0
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://zone.msn.com/bingame/trbo/default/ActiveLauncher.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

--
End of file - 12978 bytes

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:17 AM

Posted 08 October 2007 - 11:52 AM

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 PnthrPride

PnthrPride
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 08 October 2007 - 03:52 PM

OMG... I THINK IT'S GONE!!! I dont see anymore of that outerinfo crap in my add/remove program or any more popups. and I think I actually saw it delete outerinfo during the combofix program. AMAZING... :blink:

I LOVE YOU. :thumbsup: lol
thanks so much, if i had money i'd donate but im broke sorry.




ComboFix 07-10-07.2 - (my name =P) 2007-10-08 15:48:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.81 [GMT -4:00]
Running from: C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temporary Internet Files\Content.IE5\0LAFR0TP\ComboFix[2].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\9.tmp
C:\A.tmp
C:\B.tmp
C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\ScreenSaver\Cache\008EE627.swf
C:\Program Files\FunWebProducts\ScreenSaver\Cache\0098C5CD.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini
C:\Program Files\FunWebProducts\ScreenSaver\Images\008D1DBB.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\008ED6D5.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\008EED0C.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\FunWebProducts\Shared\0086FACF.dat
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignatureInsertBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\iMeshBar
C:\Program Files\iMeshBar\bar\Cache\0113DF2B
C:\Program Files\iMeshBar\bar\Cache\0113E610
C:\Program Files\iMeshBar\bar\Cache\0113E749.bin
C:\Program Files\iMeshBar\bar\Cache\0113E862.bmp
C:\Program Files\iMeshBar\bar\Cache\0113E99B.bmp
C:\Program Files\iMeshBar\bar\Cache\files.ini
C:\Program Files\iMeshBar\bar\History\search
C:\Program Files\iMeshBar\bar\Settings\prevcfg.htm
C:\Program Files\MSN Messenger\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\5.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\5.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\6.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\6.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\6.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\6.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\6.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\6.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\6.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\6.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\6.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\6.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\6.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\6.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\6.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\6.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\budyicon\fwpbuddy.png
C:\Program Files\MyWebSearch\bar\Cache\0003C092
C:\Program Files\MyWebSearch\bar\Cache\000D4DE2
C:\Program Files\MyWebSearch\bar\Cache\00112085
C:\Program Files\MyWebSearch\bar\Cache\0021DC84
C:\Program Files\MyWebSearch\bar\Cache\00229B50
C:\Program Files\MyWebSearch\bar\Cache\0060FEA0
C:\Program Files\MyWebSearch\bar\Cache\00625305
C:\Program Files\MyWebSearch\bar\Cache\00685644.bin
C:\Program Files\MyWebSearch\bar\Cache\00685C2F.bin
C:\Program Files\MyWebSearch\bar\Cache\00685DA6.bin
C:\Program Files\MyWebSearch\bar\Cache\00685FF8.bin
C:\Program Files\MyWebSearch\bar\Cache\00755877
C:\Program Files\MyWebSearch\bar\Cache\007E95B3.bin
C:\Program Files\MyWebSearch\bar\Cache\007E9DB2.bin
C:\Program Files\MyWebSearch\bar\Cache\007EA17B.bin
C:\Program Files\MyWebSearch\bar\Cache\007EA2B3.bin
C:\Program Files\MyWebSearch\bar\Cache\007EA4A7.bin
C:\Program Files\MyWebSearch\bar\Cache\007EA5EF.bin
C:\Program Files\MyWebSearch\bar\Cache\007EA870.bin
C:\Program Files\MyWebSearch\bar\Cache\007EAA25.bin
C:\Program Files\MyWebSearch\bar\Cache\007F0F48.bin
C:\Program Files\MyWebSearch\bar\Cache\0082FBAD.bin
C:\Program Files\MyWebSearch\bar\Cache\00894962.bin
C:\Program Files\MyWebSearch\bar\Cache\00894EC1
C:\Program Files\MyWebSearch\bar\Cache\00895317.bin
C:\Program Files\MyWebSearch\bar\Cache\00895605.bin
C:\Program Files\MyWebSearch\bar\Cache\00BB4F3B
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.htm.bak
C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\??mbols\
C:\Program Files\pppatc~1\ping.exe
C:\Program Files\Seekmo Programs
C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTBUninstaller.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\sstem3~1
C:\WINDOWS\sstem3~1\mshta.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cxtobmc.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\paxlh.dll
C:\WINDOWS\system32\wcpisvtr.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 15:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 01:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 23:25 <DIR> d-------- C:\Program Files\CONEXANT
2007-10-07 23:24 <DIR> d--hs---- C:\found.001
2007-10-07 21:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-07 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 21:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 21:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-07 13:02 35,840 --a------ C:\WINDOWS\tsitra72.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 15:59 --------- d-------- C:\Program Files\Plaxo
2007-10-08 15:55 --------- d-------- C:\Program Files\MSN Messenger
2007-10-04 14:35 --------- d-------- C:\Program Files\LimeWire
2007-08-25 13:59 --------- d-------- C:\Documents and Settings\Guest\Application Data\Google
2007-08-25 13:58 --------- d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2007-08-25 13:56 --------- d-------- C:\Documents and Settings\Guest\Application Data\MySpace
2007-08-22 11:59 --------- d-------- C:\Documents and Settings\Rodalyn Toomer\Application Data\Walgreens
2007-08-21 15:51 --------- d-------- C:\Documents and Settings\Rodalyn Toomer\Application Data\FUJIFILM
2007-08-21 15:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-21 15:40 --------- d-------- C:\Program Files\REGSHAVE
2007-08-17 12:26 --------- d-------- C:\Documents and Settings\Rodalyn Toomer\Application Data\Yahoo!
2007-08-16 19:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-08-16 19:01 --------- d-------- C:\Documents and Settings\Rodalyn Toomer\Application Data\Sandlot Games
2007-08-16 18:58 --------- d-------- C:\Program Files\Shockwave.com
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2005-07-25 19:32 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-12-14 02:24:56 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42F77860-92DE-C652-A44B-E92B589483EE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-07 19:43]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-15 08:58]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-31 18:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 10:05]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-08-09 15:41]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 21:45]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 18:21]
"Sen"="C:\PROGRA~1\PPPATC~1\ping.exe" []
"Dli"="C:\WINDOWS\s?stem32\mshta.exe" [2006-10-17 12:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"@"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-08-07 12:25:22]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iZone Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iZone Monitor.lnk
backup=C:\WINDOWS\pss\iZone Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ShortKeys Lite.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ShortKeys Lite.lnk
backup=C:\WINDOWS\pss\ShortKeys Lite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rodalyn Toomer^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rodalyn Toomer^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rodalyn Toomer^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139269201\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys
R1 $sys$crater;$sys$crater;\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys
R2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 05:51:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 16:00:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$cor]
"ImagePath"="System32\Drivers\$sys$cor.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$crater]
"ImagePath"="\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$DRMServer]
"ImagePath"="C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe"
.
Completion time: 2007-10-08 16:09:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 16:09
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:27 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aim.com/today/aimtoday.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\PPPATC~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Dli] C:\WINDOWS\s?stem32\mshta.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...US_ZBzeb032YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?6248ce7115b44e90a528bc87903ed8d0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?6248ce7115b44e90a528bc87903ed8d0
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://zone.msn.com/bingame/trbo/default/ActiveLauncher.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

--
End of file - 12433 bytes

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:17 AM

Posted 08 October 2007 - 04:38 PM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

MySpace is not safe and I do not recommend it to anyone. You may also want to read these blogs:
MySpace malware -- for the unpatched
Hacked Ad Seen on MySpace Served Spyware to a Million
MySpace users hit by hacker virus

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL (file missing)
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\PPPATC~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Dli] C:\WINDOWS\s?stem32\mshta.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...US_ZBzeb032YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\tsitra72.exe

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Reboot again.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#5 PnthrPride

PnthrPride
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 14 October 2007 - 08:08 AM

Ok there is Kaspersky and Hijack this.. I see C:\WINDOWS\tsitra72.exe .. but how do I delete it off my Internet Explorer?



Sunday, October 14, 2007 8:59:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/10/2007
Kaspersky Anti-Virus database records: 435683


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 160934
Number of viruses found 31
Number of infected objects 88
Number of suspicious objects 0
Duration of the scan process 01:52:32

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-31948cec-18c0fd5f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Rodalyn Toomer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-31948cec-18c0fd5f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\Rodalyn Toomer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-31948cec-18c0fd5f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Documents and Settings\Rodalyn Toomer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-31948cec-18c0fd5f.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Rodalyn Toomer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dsbr.jar-13f7d018-2cac610b.zip/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\Rodalyn Toomer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dsbr.jar-13f7d018-2cac610b.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\Rodalyn Toomer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dsbr.jar-13f7d018-2cac610b.zip ZIP: infected - 2 skipped

C:\Documents and Settings\Rodalyn Toomer\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temp\me_7aeWCmVYUsOXR7S Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temp\me_eujS7BlNi2uyF2s Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temp\me_eVfp7ilpxrW7K1o Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temp\me_mG2V6x3WavT94lc Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temp\me_yuQCgeuJXfgcKoa Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\My Documents\My Received Files\MsnMsgr.txt Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Rodalyn Toomer\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000001.FCS Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped

C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped

C:\Program Files\SBC Self Support Tool\log\mpbtn.log Object is locked skipped

C:\Program Files\SBC Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped

C:\Program Files\SBC Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped

C:\Program Files\SBC Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped

C:\Program Files\Trend Micro\HijackThis\backups\backup-20071009-005137-354.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped

C:\qoobox\Quarantine\C\9.tmp.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\qoobox\Quarantine\C\9.tmp.vir NSIS: infected - 1 skipped

C:\qoobox\Quarantine\C\A.tmp.vir/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\qoobox\Quarantine\C\A.tmp.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.b skipped

C:\qoobox\Quarantine\C\A.tmp.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.b skipped

C:\qoobox\Quarantine\C\A.tmp.vir NSIS: infected - 3 skipped

C:\qoobox\Quarantine\C\B.tmp.vir Infected: Trojan-Downloader.Win32.Small.fxy skipped

C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\M3HTML.DLL.vir Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\6.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\qoobox\Quarantine\C\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTBUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.c skipped

C:\qoobox\Quarantine\C\WINDOWS\SSTEM3~1\mshta.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gg skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP558\A0595573.dll Infected: not-a-virus:AdWare.Win32.HotBar.cc skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP558\A0595579.exe Infected: not-a-virus:AdWare.Win32.180Solutions.bc skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP558\A0595582.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP558\A0595582.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP558\A0595582.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598\A0628227.dll Infected: not-a-virus:AdWare.Win32.AdBand.b skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598\A0628229.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP599\A0628286.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP601\A0628449.dll Infected: not-a-virus:AdWare.Win32.Agent.c skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP601\A0630622.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gg skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630631.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630637.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630638.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630640.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630641.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630642.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630643.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630645.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630646.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630647.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630648.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630649.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630650.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630651.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630652.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630654.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630655.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630657.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630658.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630659.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630661.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630662.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630663.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630664.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630665.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630667.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630668.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630670.exe Infected: not-a-virus:AdWare.Win32.Agent.c skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630672.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gg skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP602\A0630677.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{5C00F2AD-EAF7-4553-A90F-070BBD09D321}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\tsitra72.exe Infected: Trojan-Downloader.Win32.Agent.dve skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:34 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?6248ce7115b44e90a528bc87903ed8d0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?6248ce7115b44e90a528bc87903ed8d0
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rodalyn Toomer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://zone.msn.com/bingame/trbo/default/ActiveLauncher.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

--
End of file - 10705 bytes

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:17 AM

Posted 14 October 2007 - 09:31 AM

Hey there, let's continue..

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Click Start > Control Panel.

Double-click the Java icon in the control panel.
The Java Control Panel appears.
Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.

Click Delete Files.
The Delete Temporary Files dialog box appears.

There are three options on this window to clear the cache.
- Delete Files
- View Applications
- View Applets
Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Program Files\MSN Messenger\riched20.dll
C:\WINDOWS\tsitra72.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Find and manually delete these folders;
C:\Program Files\MyWaySA
C:\qoobox

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Please reboot a final time and let me know how the PC is running.
I see a clean Hijackthis log now! :thumbsup:

#7 PnthrPride

PnthrPride
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 14 October 2007 - 01:22 PM

Ok.. problem. :thumbsup:
After posting my last post I ended up just searching the tsitra72.exe on windows explorer and deleting it .. it went to the recycle bin and then I just deleted it from there. Was that a bad thing? And, after your new post where you said to go to control panel and then the java icon, I have Java Plug-In.. and when I open it it has Basic, Advance, Browser, etc. tabs.. and I dont see anything with Temporary Files...

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:17 AM

Posted 15 October 2007 - 04:19 PM

Ok, don't worry about asking questions, better to be safe than sorry! :thumbsup:
Continue with Killbox as normal, it doesn't matter if you've already deleted one of the files.
You need to update Java to a newer version, but we will do that at the end, when the PC is clean.
Therefore you can skip the deletion of the Java cache/temporary files, skipping straight to the killbox step.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users