Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I May Be Infected With Something


  • Please log in to reply
7 replies to this topic

#1 ABen

ABen

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 11 October 2007 - 06:33 PM

I don't know what I have, but my computer gets annoying pop-ups, I get kicked off of web pages, and at one point my control panel was completely inaccessible because my system administrator status was changed, which i fixed with system restore, but I don't think that action removed whatever my computer has, so here is my HijackThis Log, Please help!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:25 PM, on 10/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\scvhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\windows\eee2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe
C:\Windows\xpupdate.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLServiceHost.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\COMMON~1\FNTS~1\regsvr32.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Documents and Settings\Leslie Bennett\My Documents\W?nSxS\d?dplay.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\System32\ssmypics.scr
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {65D17263-9CFD-E226-F53B-E62B5BE3829E} - C:\WINDOWS\System32\uxt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [tm~*] C:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [7a2r0n] C:\WINDOWS\system32\7a2r0n.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\ares.exe" -h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [7a2r0n] C:\WINDOWS\system32\7a2r0n.exe
O4 - HKCU\..\Run: [Wnsd] "C:\PROGRA~1\COMMON~1\FNTS~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [Gixs] "C:\Documents and Settings\Leslie Bennett\My Documents\W?nSxS\d?dplay.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {494C4BEF-FAC9-FE5D-ADA1-85B08BA2C789} - http://public.searchbarcash.com/cab/349/wtvuvzaw.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD4DAC2-5DFF-4566-BA2D-340DFC2C70D9}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2279EDF-08C0-4368-91DC-446E5A8A29D2}: NameServer = 85.255.115.90,85.255.112.225
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.143
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AD4DAC2-5DFF-4566-BA2D-340DFC2C70D9}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O24 - Desktop Component 1: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 10044 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 12 October 2007 - 04:59 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ABen :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

You have a Backdoor Trojan present on your pc
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

Let me know what you want to do in your next reply.
Posted Image
Posted Image

#3 ABen

ABen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 12 October 2007 - 10:09 PM

Whoa!! Is it that serious? Both of those websites scared and intimidated me. My family and I only use this computer for personal reasons, and i checked with my sister, whom the computer rightly belongs to (she took it to her college dorm with her and just recently brought it back home), and she said that she has never submitted a credit card number on this computer. The only thing we have submitted online are college applications and ACT registration, both most likely containing social security numbers. I honestly do not want to re-format my computer unless it is my last resort, and if the problem has reached that point, I honestly do not think that I am capable of re-formatting my computer alone. I will definitely need help. I am almost positive that my family has lost the necessary cds and booklets needed to re-install windows correctly, and i have seldom a clue as to where I could re-attain those necessities. I would really have to know more about how re-formatting will affect my computer, in order to make an educated decision. Will I lose all of my documents or can they be salvaged? What about my programs? Is there any other way possible that i could fix my computer without re-formatting it? If not, then I suppose, with your's or someone else's help, I could re-format my computer. Thank you so much for helping me, I am almost completely computer illiterate, and I need all the help I can get. So, thank you again!

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 13 October 2007 - 03:48 AM

Is there any other way possible that i could fix my computer without re-formatting it?

Your pc is badly infected,lets have a go at cleaning it up,please follow these instructions in the order posted:

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 ABen

ABen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 13 October 2007 - 12:40 PM

I completed the tasks and here are the results:

Fixwareout

Username "Leslie Bennett" - 10/13/2007 10:30:26 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmpco"
HKLM\SOFTWARE\~\Winlogon\ "System"="csqlz.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.90 85.255.112.225" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E2279EDF-08C0-4368-91DC-446E5A8A29D2}
"nameserver"="85.255.115.90,85.255.112.225" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\~\currentversion\run "dmpco.exe" Deleted
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "ocpmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "3mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}DDCD99FD0E89-2459-F004-7684-537EB95D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}77D43CB57486-740B-7074-2A2F-CD3496D9{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F64886ECADB2-7388-6234-D715-774E14D0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}1EA2FB678CFC-6A3B-D984-FFB5-B86309BE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}394D23EBD342-DDE9-3B64-80F3-82280F67{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}75283C9EC2E7-06FB-4F24-7847-1BA307C9{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "jkmsc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "rwnsc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "nzgsc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "zlqsc" Value deleted
HKCR\CLSID\{16B24CA0-9569-406D-9658-DFCDA06C8151}\_h\4 Deleted.
HKCR\CLSID\{21F610BA-4C01-4B26-ADAD-D2A1E78817FE}\_h\4 Deleted.
HKCR\CLSID\{2D834F30-8437-4618-8865-A4EBC0C4A476}\_h\4 Deleted.
HKCR\CLSID\{48C167EE-4350-47F9-8F41-D931B8D0D612}\_h\4 Deleted.
C:\WINDOWS\System32\csedm.exe Deleted
C:\WINDOWS\System32\csjnk.exe Deleted
C:\WINDOWS\System32\csnwr.exe Deleted
C:\WINDOWS\System32\dmcmw.exe Deleted
C:\WINDOWS\System32\dmcub.exe Deleted
C:\WINDOWS\System32\dmeer.exe Deleted
C:\WINDOWS\System32\dmlqk.exe Deleted
C:\WINDOWS\System32\dmuss.exe Deleted
C:\WINDOWS\System32\aufxe.exe Deleted
C:\WINDOWS\System32\ccion.exe Deleted
C:\WINDOWS\System32\cmvum.exe Deleted
C:\WINDOWS\System32\csife.exe Deleted
C:\WINDOWS\System32\cxlot.exe Deleted
C:\WINDOWS\System32\dtzyw.exe Deleted
C:\WINDOWS\System32\ebahn.exe Deleted
C:\WINDOWS\System32\eeevk.exe Deleted
C:\WINDOWS\System32\epxfg.exe Deleted
C:\WINDOWS\System32\fwyru.exe Deleted
C:\WINDOWS\System32\gvent.exe Deleted
C:\WINDOWS\System32\hcvgh.exe Deleted
C:\WINDOWS\System32\jratf.exe Deleted
C:\WINDOWS\System32\jshrt.exe Deleted
C:\WINDOWS\System32\jsraf.exe Deleted
C:\WINDOWS\System32\lwijl.exe Deleted
C:\WINDOWS\System32\milmu.exe Deleted
C:\WINDOWS\System32\mspqv.exe Deleted
C:\WINDOWS\System32\nedce.exe Deleted
C:\WINDOWS\System32\nfkdu.exe Deleted
C:\WINDOWS\System32\prmtz.exe Deleted
C:\WINDOWS\System32\pxyus.exe Deleted
C:\WINDOWS\System32\rnopq.exe Deleted
C:\WINDOWS\System32\sccjs.exe Deleted
C:\WINDOWS\System32\tiigl.exe Deleted
C:\WINDOWS\System32\tnylx.exe Deleted
C:\WINDOWS\System32\ukqdk.exe Deleted
C:\WINDOWS\System32\untnn.exe Deleted
C:\WINDOWS\System32\vkxbz.exe Deleted
C:\WINDOWS\System32\vwfvb.exe Deleted
C:\WINDOWS\System32\ypxeh.exe Deleted
C:\WINDOWS\System32\ytbwq.exe Deleted
C:\WINDOWS\System32\zjppn.exe Deleted
C:\WINDOWS\System32\zvybp.exe Deleted
C:\WINDOWS\System32\sjmkq.exe Deleted
....
~~~~~ Misc files.
C:\Documents and Settings\Leslie Bennett\Application Data\Install.dat Deleted
C:\Documents and Settings\Leslie Bennett\Application Data\kc.tmp Deleted
C:\Documents and Settings\Leslie Bennett\Application Data\uns.tmp Deleted
C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url Deleted
C:\Documents and Settings\All Users\Favorites\NEW VIAGRA at Half Price!.url Deleted
C:\Documents and Settings\All Users\Favorites\Online Chat With Nude Girls.url Deleted
C:\Documents and Settings\All Users\Favorites\Order CIALIS online without leaving home..url Deleted
C:\Documents and Settings\All Users\Favorites\PC protection in under 2 minutes!.url Deleted
C:\Documents and Settings\All Users\Favorites\SEX Dating - Real Girls For Real SEX.url Deleted
C:\Documents and Settings\All Users\Favorites\Stop PopUps On Your Computer.url Deleted
C:\Documents and Settings\All Users\Favorites\VIAGRA at incredible low price. Bonus Pills!.url Deleted
C:\Documents and Settings\All Users\Favorites\View ADULT photos of REAL GIRLS!.url Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\Help\SPAlert.chm Deleted
C:\WINDOWS\RDT.INI Deleted
C:\WINDOWS\System32\close.bmp Deleted
C:\WINDOWS\System32\dating.bmp Deleted
C:\WINDOWS\System32\drivers\zpmodemnt.sys Deleted
C:\WINDOWS\System32\favset.exe Deleted
C:\WINDOWS\System32\filesafer23.exe Deleted
C:\WINDOWS\System32\gambling.bmp Deleted
C:\WINDOWS\System32\hgqhp.exe Deleted
C:\WINDOWS\System32\howiper.exe Deleted
C:\WINDOWS\System32\idesk.conf Deleted
C:\WINDOWS\System32\insurance.bmp Deleted
C:\WINDOWS\System32\pharmacy.bmp Deleted
C:\WINDOWS\System32\spyware.bmp Deleted
C:\WINDOWS\System32\xxx.bmp Deleted
C:\WINDOWS\xpupdate.exe Deleted
C:\Documents and Settings\All Users\Favorites\Online Pharmacy Deleted
C:\Documents and Settings\All Users\Favorites\Sex and Dating Deleted
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall Deleted
C:\Program Files\SpyMarshal Deleted
C:\Program Files\UnSpyPC Deleted
C:\Program Files\SpyVampire Deleted
C:\WINDOWS\SYSTEM32\{4777EDDE-30C2-4349-B63F-F1D5F36C3A0C}.exe Deleted
C:\WINDOWS\SYSTEM32\{48C914A3-1B82-43C3-B34D-57D1B34AFA6E}.exe Deleted
C:\WINDOWS\SYSTEM32\{73375C1B-EF07-4E72-BDA2-EB50EC443CBA}.exe Deleted
C:\WINDOWS\SYSTEM32\{7A7351DF-1C83-4D07-8AF5-E9E089AD64D6}.exe Deleted
C:\WINDOWS\SYSTEM32\{959A0871-1401-445E-A6EA-39D0D3AAC48F}.exe Deleted
C:\WINDOWS\SYSTEM32\{9C703AB1-7487-42F4-BF60-7E2CE9C38257}.exe Deleted
C:\WINDOWS\SYSTEM32\{9D6943DC-F2A2-4707-B047-68475BC34D77}.exe Deleted
C:\WINDOWS\SYSTEM32\{CA823CEC-D2DE-4103-BE18-EA364EF7ECD5}.exe Deleted
C:\WINDOWS\SYSTEM32\{EB90368B-5BFF-489D-B3A6-CFC876BF2AE1}.exe Deleted
C:\WINDOWS\SYSTEM32\{F3F6604D-6732-4C19 -B8EE-261D53CA3E9D}.exe Deleted
C:\WINDOWS\SYSTEM32\{F4DC50A1-939C-4D3C-9276-81044966EE11}.exe Deleted
C:\WINDOWS\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

C:\WINDOWS\SYSTEM32\dmabf.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmafp.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmaqd.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmasj.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmaue.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmave.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmawy.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmaxq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmbfi.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmblc.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmbnk.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmbsf.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmbwk.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmbyu.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmcad.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmccr.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmcgy.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmcmx.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmcnh.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmcyi.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmdgv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmdrn.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmdsn.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmdwi.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmeno.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmewq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmexf.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmexz.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmfnv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmfsz.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmfyv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgdt.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgeq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgff.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgfq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmggn.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgkc.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgmt.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgrs.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmgzp.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmham.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmhbb.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmhcd.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmhef.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmhom.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmhoy.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmicl.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmifz.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmimh.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dminm.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmioh.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmipk.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmirq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmisu.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmjsq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmjts.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmjxe.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmjyo.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmjyr.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmkht.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmkis.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmkkp.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmkto.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmkvs.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmlgt.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmlhd.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmlnn.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmlun.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmlvs.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmlzi.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmmdv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmmqk.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmmxi.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmncf.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmndw.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmnpv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmnrd.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmnuc.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmnwd.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmocd.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmocy.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmoig.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmokh.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmovs.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmown.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmpob.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmpot.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmpqr.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmqfv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmqhh.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmqhv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmqoe.exe 60939 09/03/2002
C:\WINDOWS\SYSTEM32\dmqom.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmrba.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmrbj.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmroq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmrpl.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmryb.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmryv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmrzf.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmser.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmslj.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmsrp.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmtkc.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmtwn.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmtzr.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmufc.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmuhk.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmuls.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmump.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmupg.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmuqf.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmuxh.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmvbc.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmvbe.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmvei.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmvlv.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmvqq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmvsz.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmwfu.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmwgs.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmwhl.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmwjl.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmwuo.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmxah.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmxjm.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmxne.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmxpx.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmybo.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmycd.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmycq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmyim.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmymt.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmyqx.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmysq.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmyzp.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmzch.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmzje.exe 60505 09/03/2002
C:\WINDOWS\SYSTEM32\dmzwy.exe 60505 09/03/2002

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

~~~~~ Other
C:\WINDOWS\Temp\csqlz.ren 51777 10/02/2006
C:\WINDOWS\Temp\dmpco.ren 60505 09/03/2002

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"VirusScan Online"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"kdx"="C:\\WINDOWS\\kdx\\KHost.exe"
"EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB002\" /M \"Stylus Photo R200\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1128460756\\ee\\AOLHostManager.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Antivirus"="C:\\WINDOWS\\b.exe"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"TIAP"="C:\\windows\\eee2.exe"
"tm~*"="C:\\windows\\eee2.exe"
"wahm"="C:\\windows\\eee2.exe"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"7a2r0n"="C:\\WINDOWS\\system32\\7a2r0n.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"IESet"="IExplorer.dll .dbt"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="\"C:\\Program Files\\Ares\\ares.exe\" -h"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"7a2r0n"="C:\\WINDOWS\\system32\\7a2r0n.exe"
"Wnsd"="\"C:\\PROGRA~1\\COMMON~1\\FNTS~1\\regsvr32.exe\" -vt yazb"
"ISMModule6"="\"C:\\Program Files\\ISM\\ISMModule6.exe\""
"Gixs"="\"C:\\Documents and Settings\\Leslie Bennett\\My Documents\\W?nSxS\\d?dplay.exe\""
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"IESet"="IExplorer.dll .dbt"
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

SDFix

SDFix: Version 1.108

Run by Leslie Bennett on Sat 10/13/2007 at 11:58 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
lsass

ImagePath:
"C:\WINDOWS\scvhost.exe"

lsass - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\70.TMP - Deleted
C:\71.TMP - Deleted
C:\72.TMP - Deleted
C:\73.TMP - Deleted
C:\74.TMP - Deleted
C:\CF.TMP - Deleted
C:\D0.TMP - Deleted
C:\D1.TMP - Deleted
C:\D2.TMP - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\DOCUME~1\LESLIE~1\LOCALS~1\Temp\svchost.exe - Deleted
C:\a.exe - Deleted
C:\WINDOWS\scvhost.exe - Deleted
C:\WINDOWS\system32\alog.txt - Deleted
C:\WINDOWS\system32\aswwer.dll - Deleted
C:\WINDOWS\system32\drivers\svchost.exe - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\mac.dll - Deleted
C:\WINDOWS\SYSTEM32\MAR12.DLL - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------


Rootkit Srizbi/Agent.EA Registry Value Detected, Use a Rootkit scanner !


Authorized Application Key Export:

Remaining Files:
---------------
catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 12:07:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden files ...


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 6 Dec 2005 247,492 ..SHR --- "C:\WINDOWS\zwz6tza.sys"
Thu 29 Aug 2002 91,136 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Tue 20 Aug 2002 1,511,453 ...H. --- "C:\Program Files\Messenger\MSMSGS.EXE"
Thu 29 Aug 2002 57,344 A.SH. --- "C:\Program Files\Outlook Express\MSIMN.EXE"
Wed 7 Dec 2005 145,368 ..SHR --- "C:\WINDOWS\SYSTEM32\kqb.exe"
Tue 6 Dec 2005 310,034 ..SHR --- "C:\WINDOWS\SYSTEM32\q7xa0.exe"
Tue 6 Dec 2005 238,436 ..SHR --- "C:\WINDOWS\SYSTEM32\zwz6tza.sys"
Sun 9 Apr 2006 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sun 9 Apr 2006 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sat 10 Mar 2007 28,672 ...H. --- "C:\Documents and Settings\Leslie Bennett\My Documents\~WRL0001.tmp"
Sat 6 Oct 2007 72,704 ..SHR --- "C:\Program Files\Common Files\F?nts\regsvr32.exe"
Sat 29 Sep 2007 36,864 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP672\A0234532.sys"
Sat 29 Sep 2007 40,183 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP672\A0234548.exe"
Sat 29 Sep 2007 72,704 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP672\A0234549.exe"
Fri 29 Jun 2007 146,944 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP672\A0234550.exe"
Wed 3 Oct 2007 230,912 ..SHR --- "C:\Documents and Settings\Leslie Bennett\My Documents\W?nSxS\d?dplay.exe"
Tue 8 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Thu 6 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 6 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Thu 6 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Thu 6 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!


ComboFix

ComboFix 07-10-13.3 - Leslie Bennett 2007-10-13 13:15:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.94 [GMT -4:00]
Running from: C:\Documents and Settings\Leslie Bennett\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Leslie Bennett\My Documents\WNSXS~1
C:\Documents and Settings\Leslie Bennett\My Documents\WNSXS~1\d?dplay.exe
C:\Documents and Settings\Leslie Bennett\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Leslie Bennett\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Leslie Bennett\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\Common Files\fnts~1\regsvr32.exe
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\mcroso~1.net\M?crosoft.NET\
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\2020search2.dll
C:\WINDOWS\eee2.exe
C:\WINDOWS\notedad.exe
C:\WINDOWS\system32\aaa.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\XLR37.sys
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\KVIF_7.dll
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\uxt.dll
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\uninstdsk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_XLR37


((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.

2007-10-13 12:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 11:38 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-13 11:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Webroot
2007-10-13 11:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Webroot
2007-10-12 22:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-10-06 09:56 35,840 --a------ C:\WINDOWS\tsitra72.exe
2007-10-02 23:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-02 22:44 <DIR> d-------- C:\Program Files\Webroot
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Leslie Bennett\Application Data\Webroot
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\WINDOWS
2007-10-02 22:44 <DIR> d---s---- C:\Documents and Settings\Andrew\UserData
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Webroot
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Viewpoint
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\McAfee.com Personal Firewall
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Gtek
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Aim
2007-10-01 18:50 <DIR> d-------- C:\Program Files\SpywareDetector
2007-09-29 12:05 <DIR> d-------- C:\Program Files\ISM2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 00:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 02:44 --------- d-----w C:\Documents and Settings\Leslie Bennett\Application Data\Kontiki
2007-08-01 03:29 4,012 ----a-w C:\WINDOWS\rduj06u8.exe
2006-04-20 00:34 42,424 ----a-w C:\Documents and Settings\Leslie Bennett\Application Data\GDIPFONTCACHEV1.DAT
2004-02-05 00:58 457 ----a-w C:\Program Files\INSTALL.LOG
2000-09-01 19:06 114 ----a-w C:\Documents and Settings\Leslie Bennett\RunMe.bat
2000-03-16 22:56 28,160 ----a-w C:\Documents and Settings\Leslie Bennett\SETUPREG.EXE
2000-03-16 21:20 1,433,600 ----a-w C:\Documents and Settings\Leslie Bennett\RISKII.EXE
2000-03-16 20:48 240,047 ----a-w C:\Documents and Settings\Leslie Bennett\CLASS.EXE
2000-03-16 20:26 662 ----a-w C:\Documents and Settings\Leslie Bennett\risk2.reg
2000-03-16 18:09 32,768 ----a-w C:\Documents and Settings\Leslie Bennett\TRAINER.EXE
2000-03-03 02:33 12,074 ----a-w C:\Documents and Settings\Leslie Bennett\mp3unpack.exe
2000-01-07 19:24 79,120 ----a-w C:\Documents and Settings\Leslie Bennett\DSETUP32.DLL
2000-01-07 19:24 159,504 ----a-w C:\Documents and Settings\Leslie Bennett\DSETUP.DLL
1999-02-24 05:00 282,896 ----a-w C:\Documents and Settings\Leslie Bennett\SHLWAPI.DLL
2005-12-06 22:42:16 247,492 --sh--r C:\WINDOWS\zwz6tza.sys
2005-12-07 04:45:55 145,368 --sh--r C:\WINDOWS\SYSTEM32\kqb.exe
2005-12-06 22:42:16 310,034 --sh--r C:\WINDOWS\SYSTEM32\q7xa0.exe
2005-12-06 22:42:16 238,436 --sh--r C:\WINDOWS\SYSTEM32\zwz6tza.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 19:15]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 11:28]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 16:09]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2002-10-10 18:14]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 14:03]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2004-01-20 11:45]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00]
"HostManager"="C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe" [2005-08-02 15:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-08 18:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-09-09 07:43]
"Antivirus"="C:\WINDOWS\b.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-11-16 15:53]
"TIAP"="C:\windows\eee2.exe" []
"tm~*"="C:\windows\eee2.exe" []
"wahm"="C:\windows\eee2.exe" []
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 14:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"7a2r0n"="C:\WINDOWS\system32\7a2r0n.exe" [2007-07-04 16:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\ares.exe" []
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51]
"7a2r0n"="C:\WINDOWS\system32\7a2r0n.exe" [2007-07-04 16:44]
"Wnsd"="C:\PROGRA~1\COMMON~1\FNTS~1\regsvr32.exe" []
"ISMModule6"="C:\Program Files\ISM\ISMModule6.exe" []
"Gixs"="C:\Documents and Settings\Leslie Bennett\My Documents\W?nSxS\d?dplay.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" [2007-09-28 09:27]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-05-19 11:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-20 00:16:42]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\WINDOWS\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Leslie Bennett^Start Menu^Programs^Startup^Screen Scapes Task.lnk]
path=C:\Documents and Settings\Leslie Bennett\Start Menu\Programs\Startup\Screen Scapes Task.lnk
backup=C:\WINDOWS\pss\Screen Scapes Task.lnkStartup
c:\WINDOWS\System32\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
C:\WINDOWS\b.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
C:\Program Files\Bargain Buddy\bin2\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
C:\Program Files\ClearSearch\Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZmmod]
C:\PROGRA~1\ezula\mmod.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hfyxepkj]
C:\WINDOWS\System32\rvdpfuwi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HRYFLSYC]
C:\WINDOWS\HRYFLSYC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iaboqjft]
C:\WINDOWS\rrmkrbfd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
??? ? ? ?????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
C:\WINDOWS\System32\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvid]
C:\WINDOWS\System32\ehdrqdpy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
??? ? ? ?????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFavorites]
c:\program files\winfavorites\WinFavorites.exe1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winnet]
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

R0 SSI;SSI;C:\WINDOWS\System32\Drivers\SSI.SYS
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-13 17:19:00 C:\WINDOWS\Tasks\ ().job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-13 17:23:00 C:\WINDOWS\Tasks\ (DCGCHG31-Leslie Bennett).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-13 17:16:02 C:\WINDOWS\Tasks\McAfee.com Update Check ().job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-13 17:20:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DCGCHG31-Andrew).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-13 17:22:29 C:\WINDOWS\Tasks\McAfee.com Update Check (DCGCHG31-Leslie Bennett).job"
"2007-10-13 17:16:02 C:\WINDOWS\Tasks\McAfee.com Update Check (DCGCHG31-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-13 17:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 13:22:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-13 13:25:09 - machine was rebooted
.
--- E O F ---

And HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:29 PM, on 10/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLServiceHost.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLServiceHost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [tm~*] C:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [7a2r0n] C:\WINDOWS\system32\7a2r0n.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\ares.exe" -h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [7a2r0n] C:\WINDOWS\system32\7a2r0n.exe
O4 - HKCU\..\Run: [Wnsd] "C:\PROGRA~1\COMMON~1\FNTS~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [Gixs] "C:\Documents and Settings\Leslie Bennett\My Documents\W?nSxS\d?dplay.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {494C4BEF-FAC9-FE5D-ADA1-85B08BA2C789} - http://public.searchbarcash.com/cab/349/wtvuvzaw.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD4DAC2-5DFF-4566-BA2D-340DFC2C70D9}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.143
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AD4DAC2-5DFF-4566-BA2D-340DFC2C70D9}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O24 - Desktop Component 1: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 8428 bytes


Thank you so much!! :thumbsup:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 13 October 2007 - 02:33 PM

Disable SpySweeper or it will interfere:

If you have Spy Sweeper version 4:

* Open it, Click Options over on the left, then Program options
* Uncheck load at windows startup.
* Over to the left, Click shields and Uncheck all there.
* Uncheck home page shield.
* Uncheck automatically restore default without notification.
* Reboot your machine for the changes to take effect before running HJT.

If you have SpySweeper version 5:

To disable SpySweeper Shields

* Open SpySweeper.
* Click Shield Settings on the right

(or Shields on the left, depending what screen you're on).

* Click Internet Explorer and uncheck all items.
* Click Windows System and uncheck all items.
* Click Hosts File and uncheck all items.
* Click Startup Programs and uncheck all items.
* Close SpySweeper.

Reboot you computer, and ensure Spy Sweeper is disabled.


Please disable Spybot S&Dís protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\rduj06u8.exe
C:\WINDOWS\zwz6tza.sys
C:\WINDOWS\SYSTEM32\kqb.exe
C:\WINDOWS\SYSTEM32\q7xa0.exe
C:\WINDOWS\SYSTEM32\zwz6tza.sys
Folder::
C:\Documents and Settings\Andrew\Application Data\Viewpoint
C:\Program Files\ISM2
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"=-
"TIAP"=-
"tm~*"=-
"wahm"=-
"7a2r0n"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7a2r0n"=-
"Wnsd"=-
"ISMModule6"=-
"Gixs"=-
"ISMPack6"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZmmod]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hfyxepkj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HRYFLSYC]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iaboqjft]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvid]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFavorites]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winnet]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 ABen

ABen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 14 October 2007 - 12:36 AM

i didn't have the key code to log in to SpySweeper, so I attempted to remove it because we never use it and without the key code to log in to it, it seems pretty much useless, I hope it didn't interfere...

Combofix Log

ComboFix 07-10-13.3 - Leslie Bennett 2007-10-14 1:23:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.83 [GMT -4:00]
Running from: C:\Documents and Settings\Leslie Bennett\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Leslie Bennett\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\rduj06u8.exe
C:\WINDOWS\SYSTEM32\kqb.exe
C:\WINDOWS\SYSTEM32\q7xa0.exe
C:\WINDOWS\SYSTEM32\zwz6tza.sys
C:\WINDOWS\zwz6tza.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Andrew\Application Data\Viewpoint
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\GeneralOptions.ini
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\ViewBar.ddb
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\targets.gz
C:\WINDOWS\rduj06u8.exe
C:\WINDOWS\SYSTEM32\kqb.exe
C:\WINDOWS\SYSTEM32\q7xa0.exe
C:\WINDOWS\SYSTEM32\zwz6tza.sys
C:\WINDOWS\zwz6tza.sys

.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-13 12:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 11:38 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-12 22:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-10-06 09:56 35,840 --a------ C:\WINDOWS\tsitra72.exe
2007-10-02 23:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-02 22:44 <DIR> d-------- C:\Program Files\Webroot
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Leslie Bennett\Application Data\Webroot
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\WINDOWS
2007-10-02 22:44 <DIR> d---s---- C:\Documents and Settings\Andrew\UserData
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Webroot
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\McAfee.com Personal Firewall
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Gtek
2007-10-02 22:44 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Aim
2007-10-01 18:50 <DIR> d-------- C:\Program Files\SpywareDetector

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 00:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 02:44 --------- d-----w C:\Documents and Settings\Leslie Bennett\Application Data\Kontiki
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2006-04-20 00:34 42,424 ----a-w C:\Documents and Settings\Leslie Bennett\Application Data\GDIPFONTCACHEV1.DAT
2004-02-05 00:58 457 ----a-w C:\Program Files\INSTALL.LOG
2000-09-01 19:06 114 ----a-w C:\Documents and Settings\Leslie Bennett\RunMe.bat
2000-03-16 22:56 28,160 ----a-w C:\Documents and Settings\Leslie Bennett\SETUPREG.EXE
2000-03-16 21:20 1,433,600 ----a-w C:\Documents and Settings\Leslie Bennett\RISKII.EXE
2000-03-16 20:48 240,047 ----a-w C:\Documents and Settings\Leslie Bennett\CLASS.EXE
2000-03-16 20:26 662 ----a-w C:\Documents and Settings\Leslie Bennett\risk2.reg
2000-03-16 18:09 32,768 ----a-w C:\Documents and Settings\Leslie Bennett\TRAINER.EXE
2000-03-03 02:33 12,074 ----a-w C:\Documents and Settings\Leslie Bennett\mp3unpack.exe
2000-01-07 19:24 79,120 ----a-w C:\Documents and Settings\Leslie Bennett\DSETUP32.DLL
2000-01-07 19:24 159,504 ----a-w C:\Documents and Settings\Leslie Bennett\DSETUP.DLL
1999-02-24 05:00 282,896 ----a-w C:\Documents and Settings\Leslie Bennett\SHLWAPI.DLL
.

((((((((((((((((((((((((((((( snapshot@2007-10-13_13.23.19.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-13 17:15:51 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
+ 2007-10-14 05:23:13 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 19:15]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 11:28]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 16:09]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2002-10-10 18:14]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 14:03]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2004-01-20 11:45]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00]
"HostManager"="C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe" [2005-08-02 15:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-08 18:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-09-09 07:43]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 14:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\ares.exe" []
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-05-19 11:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-20 00:16:42]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Leslie Bennett^Start Menu^Programs^Startup^Screen Scapes Task.lnk]
path=C:\Documents and Settings\Leslie Bennett\Start Menu\Programs\Startup\Screen Scapes Task.lnk
backup=C:\WINDOWS\pss\Screen Scapes Task.lnkStartup
c:\WINDOWS\System32\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

R0 SSI;SSI;C:\WINDOWS\System32\Drivers\SSI.SYS
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-14 05:24:00 C:\WINDOWS\Tasks\ ().job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-14 05:23:00 C:\WINDOWS\Tasks\ (DCGCHG31-Leslie Bennett).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-14 05:21:00 C:\WINDOWS\Tasks\McAfee.com Update Check ().job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-14 05:25:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DCGCHG31-Andrew).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-14 05:24:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DCGCHG31-Leslie Bennett).job"
"2007-10-14 05:21:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DCGCHG31-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-14 05:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 01:25:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-14 1:26:55
C:\ComboFix2.txt ... 2007-10-13 13:25
.
--- E O F ---


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:34 AM, on 10/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLServiceHost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Common Files\AOL\1128460756\ee\AOLServiceHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128460756\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\ares.exe" -h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {494C4BEF-FAC9-FE5D-ADA1-85B08BA2C789} - http://public.searchbarcash.com/cab/349/wtvuvzaw.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD4DAC2-5DFF-4566-BA2D-340DFC2C70D9}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.143
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AD4DAC2-5DFF-4566-BA2D-340DFC2C70D9}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 7476 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 14 October 2007 - 03:56 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {494C4BEF-FAC9-FE5D-ADA1-85B08BA2C789} - http://public.searchbarcash.com/cab/349/wtvuvzaw.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.143


Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt into your next reply,along with a new Hijackthis log please.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users