Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webcry Takeover Of My Search Engine With Ie7


  • This topic is locked This topic is locked
9 replies to this topic

#1 atguy125

atguy125

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 November 2007 - 11:40 AM

Hi I'm having a spyware issue that I can't solve with Spyware Doctor. Everytime I search with Internet Explorer 7 on my Windows Vista machine I get the search results but clicking on them redirects me to Webcry searches. I'm hoping someone can help me here is my hijackthis log. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:18 AM, on 11/7/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\helppane.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
E:\My Documents\move 2\move\new files\1\Shawn\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {352AA77D-63B0-9C97-468C-0297B5F04A1F} - C:\Program Files\grlecrxk\jrgtxecl.dll
O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\Windows\ntspknlg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [vefglefe] regsvr32 /u "C:\ProgramData\vefglefe.dll"
O4 - HKLM\..\Run: [kxcfojyz] regsvr32 /u "C:\ProgramData\kxcfojyz.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "E:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demos.webex.com/client/T26L/webex/ieatgpc1.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax5318.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - E:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: hostctrl - {CB9BA2FB-1070-47CB-978E-52A7936FE028} - C:\Windows\hostctrl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\symantec\liveupdate\LuComServer_3_2.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - e:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - e:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13711 bytes

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 07 November 2007 - 06:00 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

Please include rapport.txt, along with a new HijackThis log in your next reply. I would also like to know whether or not your antivirus software is running?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 atguy125

atguy125
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 11 November 2007 - 03:43 PM

I have Norton 360 turned on. I ran smitfraudfix (log is below) I'm still getting the webcry search results.

SmitFraudFix v2.252

Scan done at 12:09:44.56, Sun 11/11/2007
Run from C:\Users\Shawn Latham\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Windows\hostctrl.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{CB9BA2FB-1070-47CB-978E-52A7936FE028}]
C:\Windows\ntspknlg.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{657EAFA1-9A04-4652-B92F-0104A250232C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F87E528B-C381-452D-93AE-5E66F278CB44}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{657EAFA1-9A04-4652-B92F-0104A250232C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F87E528B-C381-452D-93AE-5E66F278CB44}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{657EAFA1-9A04-4652-B92F-0104A250232C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F87E528B-C381-452D-93AE-5E66F278CB44}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:43 PM, on 11/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
E:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Shawn Latham\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {352AA77D-63B0-9C97-468C-0297B5F04A1F} - C:\Program Files\grlecrxk\jrgtxecl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [vefglefe] regsvr32 /u "C:\ProgramData\vefglefe.dll"
O4 - HKLM\..\Run: [kxcfojyz] regsvr32 /u "C:\ProgramData\kxcfojyz.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "E:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax5318.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - E:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\symantec\liveupdate\LuComServer_3_2.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - e:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - e:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11697 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 13 November 2007 - 02:40 AM

Sorry about the delay in getting back to you, life has been hectic recently.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 atguy125

atguy125
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 14 November 2007 - 11:44 AM

Here is the report by ComboFix

ComboFix 07-11-08.1 - Shawn Latham 2007-11-14 8:00:02.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.909 [GMT -8:00]
Running from: C:\Users\Shawn Latham\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\nmcuninstall.exe
C:\Windows\system32\Cache
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 07:56 51,200 --a------ C:\Windows\NirCmd.exe
2007-11-14 03:09 224,768 --a------ C:\Windows\System32\drivers\usbport.sys
2007-11-14 03:09 192,000 --a------ C:\Windows\System32\drivers\usbhub.sys
2007-11-14 03:09 73,216 --a------ C:\Windows\System32\drivers\usbccgp.sys
2007-11-14 03:09 38,400 --a------ C:\Windows\System32\drivers\usbehci.sys
2007-11-14 03:09 19,456 --a------ C:\Windows\System32\drivers\usbohci.sys
2007-11-14 03:09 8,704 --a------ C:\Windows\System32\hcrstco.dll
2007-11-14 03:09 8,704 --a------ C:\Windows\System32\hccoin.dll
2007-11-14 03:09 5,888 --a------ C:\Windows\System32\drivers\usbd.sys
2007-11-13 12:20 <DIR> d-------- C:\Program Files\BibleDatabase
2007-11-11 13:42 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-11-11 13:42 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2007-11-11 12:09 1,270 --a------ C:\Windows\System32\tmp.reg
2007-11-11 11:54 <DIR> d-------- C:\Windows\System32\SmitfraudFix
2007-11-10 17:13 <DIR> d-------- C:\Users\Shawn Latham\Documents
2007-10-30 08:29 <DIR> d-------- C:\Program Files\iPod
2007-10-30 08:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-29 18:28 45,056 --a------ C:\Windows\System32\wnaspi32.dll
2007-10-29 18:28 25,244 --a------ C:\Windows\System32\drivers\aspi32.sys
2007-10-29 18:28 5,600 --a------ C:\Windows\system\winaspi.dll
2007-10-29 18:28 4,672 --a------ C:\Windows\system\wowpost.exe
2007-10-29 18:27 203,776 --a------ C:\Windows\System32\clrviddc.dll
2007-10-29 18:16 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-28 16:02 <DIR> d-------- C:\Program Files\WON
2007-10-28 11:31 <DIR> d-------- C:\Users\Shawn Latham\AppData\Roaming\Ipswitch
2007-10-28 11:30 <DIR> d-------- C:\Users\All Users\Ipswitch
2007-10-28 11:30 <DIR> d-------- C:\ProgramData\Ipswitch
2007-10-28 11:29 <DIR> d-------- C:\Users\Shawn Latham\AppData\Roaming\InstallShield
2007-10-28 11:15 50,688 --a------ C:\Windows\System32\wbhelp2.dll
2007-10-19 16:10 6,147 --a------ C:\Windows\PCLICSB.DAT
2007-10-19 16:10 258 -r-h----- C:\Windows\System32\LMF.DAT
2007-10-19 16:09 1,044,480 --a------ C:\Windows\System32\ROBOEX32.DLL
2007-10-19 16:09 132,096 --a------ C:\Program Files\Common Files\PCSBoff.exe
2007-10-19 16:09 49,152 --a------ C:\Windows\System32\INETWH32.dll
2007-10-18 16:21 <DIR> d-------- C:\Users\Shawn Latham\church
2007-10-17 13:35 <DIR> d-------- C:\Program Files\grlecrxk
2007-10-16 14:57 <DIR> d-------- C:\Users\Shawn Latham\AppData\Roaming\PC Tools
2007-10-16 14:57 <DIR> d-a------ C:\Users\All Users\TEMP
2007-10-16 14:57 <DIR> d-a------ C:\ProgramData\TEMP
2007-10-16 14:57 79,688 --a------ C:\Windows\System32\drivers\iksyssec.sys
2007-10-16 14:57 62,280 --a------ C:\Windows\System32\drivers\iksysflt.sys
2007-10-16 14:57 41,288 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2007-10-16 14:57 29,000 --a------ C:\Windows\System32\drivers\kcom.sys
2007-10-16 14:56 626,688 --a------ C:\Windows\System32\msvcr80.dll
2007-10-16 09:31 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-10-16 09:29 3,518,464 --a------ C:\Windows\System32\cdintf300.dll
2007-10-16 09:29 1,843,200 --a------ C:\Windows\System32\acXMLParser.dll
2007-10-16 09:22 <DIR> d-------- C:\Users\All Users\Intuit
2007-10-16 09:22 <DIR> d-------- C:\ProgramData\Intuit
2007-10-16 09:22 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-10-16 09:03 <DIR> d-------- C:\Users\All Users\COMMON FILES
2007-10-16 09:03 <DIR> d-------- C:\ProgramData\COMMON FILES
2007-10-16 08:16 <DIR> d-------- C:\Users\Shawn Latham\AppData\Roaming\Download Manager
2007-10-16 08:15 <DIR> d-------- C:\Program Files\Akamai

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 11:09 --------- d-----w C:\ProgramData\Microsoft Help
2007-11-14 11:08 --------- d-----w C:\Program Files\Windows Mail
2007-11-13 02:17 --------- d-----w C:\ProgramData\WinZip
2007-11-10 03:58 --------- d-----w C:\Users\Shawn Latham\AppData\Roaming\ContentGuard
2007-11-07 01:02 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-07 01:02 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-07 01:02 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-07 01:02 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-07 01:02 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-07 01:02 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-11-07 01:02 3,471,032 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-11-07 01:02 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-07 01:02 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-07 01:02 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2007-11-07 01:02 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2007-11-07 01:02 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-07 01:02 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2007-11-07 01:02 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-07 01:02 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-07 01:02 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2007-11-07 01:02 11,264 ----a-w C:\Windows\system32\drivers\wmiacpi.sys
2007-11-06 02:42 --------- d-----w C:\ProgramData\Symantec
2007-10-30 02:16 --------- d-----w C:\Program Files\Common Files\Real
2007-10-28 22:56 --------- d-----w C:\Program Files\Norton 360
2007-10-28 19:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-16 17:30 --------- d-----w C:\Program Files\Google
2007-10-12 23:33 --------- d-----w C:\Program Files\QuickTime
2007-10-11 10:06 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-10-11 10:06 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-10-11 10:06 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-10-11 10:06 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-10-11 10:04 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-10-11 10:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-10-11 10:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-10-11 10:03 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-10-11 10:03 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-10-11 10:02 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-10-07 14:02 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2007-10-07 14:02 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2007-10-07 14:02 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2007-10-07 14:02 --------- d-----w C:\Program Files\Symantec
2007-10-03 00:36 --------- d-----w C:\Users\Shawn Latham\AppData\Roaming\acccore
2007-10-03 00:36 --------- d-----w C:\ProgramData\AOL OCP
2007-10-03 00:36 --------- d-----w C:\ProgramData\AOL
2007-10-03 00:36 --------- d-----w C:\Program Files\AIM6
2007-10-03 00:35 --------- d-----w C:\ProgramData\Viewpoint
2007-10-03 00:35 --------- d-----w C:\Program Files\Viewpoint
2007-10-03 00:34 --------- d-----w C:\ProgramData\AOL Downloads
2007-10-03 00:34 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-28 18:49 --------- d-----w C:\Program Files\Microsoft Reader
2007-09-28 17:23 --------- d-----w C:\Program Files\MSN Messenger
2007-09-28 17:23 --------- d-----w C:\Program Files\Common Files\Synacast
2007-09-28 17:21 --------- d-----w C:\Program Files\SopCast
2007-09-28 16:58 --------- d-----w C:\Program Files\Replay AV 8
2007-09-28 16:53 --------- d-----w C:\Users\Shawn Latham\AppData\Roaming\Uniblue
2007-09-28 16:49 --------- d-----w C:\Program Files\Bonjour
2007-09-28 16:47 --------- d-----w C:\Users\Shawn Latham\AppData\Roaming\MSNInstaller
2007-09-28 16:42 --------- d-----w C:\Program Files\Libronix DLS
2007-09-28 16:38 --------- d-----w C:\Program Files\eBay
2007-09-28 00:59 --------- d-----w C:\Users\Shawn Latham\AppData\Roaming\IGN_DLM
2007-09-27 16:40 --------- d-----w C:\Program Files\InterActual
2007-09-27 15:36 21,393,919 ----a-w C:\Users\Shawn Latham\Myst10th_Ann.zip
2007-09-25 00:54 --------- d-----w C:\Users\Shawn Latham\AppData\Roaming\webex
2007-09-25 00:54 --------- d-----w C:\ProgramData\WebEx
2007-09-20 03:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-18 21:44 10,662 ----a-w C:\Windows\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\Windows\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\Windows\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\Windows\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\Windows\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\Windows\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\Windows\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\Windows\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\Windows\system32\drivers\srtsp.sys
2007-09-05 18:16 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2007-08-30 10:17 174 --sha-w C:\Program Files\desktop.ini
2007-08-30 10:07 8,192 ----a-w C:\Windows\System32\riched32.dll
2007-08-30 10:07 77,824 ----a-w C:\Windows\System32\rascfg.dll
2007-08-30 10:07 694,784 ----a-w C:\Windows\System32\localspl.dll
2007-08-30 10:07 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2007-08-30 10:07 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2007-08-30 10:07 36,864 ----a-w C:\Windows\System32\cdd.dll
2007-08-30 10:07 33,280 ----a-w C:\Windows\System32\traffic.dll
2007-08-30 10:07 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2007-08-30 10:07 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2007-08-30 10:07 22,016 ----a-w C:\Windows\System32\rasser.dll
2007-08-30 10:07 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2007-08-30 10:07 134,656 ----a-w C:\Windows\System32\dps.dll
2007-08-30 10:07 13,824 ----a-w C:\Windows\System32\wshqos.dll
2007-08-30 10:07 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2007-08-30 10:05 25,600 ----a-w C:\Windows\System32\LangCleanupSysprepAction.dll
2007-08-30 10:05 23,552 ----a-w C:\Windows\System32\lpremove.exe
2007-08-30 10:05 166,912 ----a-w C:\Windows\System32\lpksetup.exe
2007-08-30 10:05 10,240 ----a-w C:\Windows\System32\MUILanguageCleanup.dll
2007-08-30 10:04 105,984 ----a-w C:\Windows\System32\CscMig.dll
2007-08-30 10:03 88,576 ----a-w C:\Windows\System32\avifil32.dll
2007-08-30 10:03 82,944 ----a-w C:\Windows\System32\mciavi32.dll
2007-08-30 10:03 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr
2007-08-30 10:03 712,192 ----a-w C:\Windows\System32\WindowsCodecs.dll
2007-08-30 10:03 69,632 ----a-w C:\Windows\System32\sendmail.dll
2007-08-09 18:44:48 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-08-09 18:44:48 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-08-09 18:44:48 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{352AA77D-63B0-9C97-468C-0297B5F04A1F}]
2007-10-17 13:37 98304 --a------ C:\Program Files\grlecrxk\jrgtxecl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-16 09:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-29 18:15]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"SDTray"="E:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-12 12:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 10:07]
"igndlm.exe"="E:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 04:33]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-11 07:38:44]
WinZip Quick Pick.lnk - E:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
"C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~3.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
rundll32.exe oobefldr.dll,ShowWelcomeCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys
R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071109.001\IDSvix86.sys
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys
S3 wampapache;wampapache;"e:\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;e:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=e:\wamp\mysql\my.ini wampmysqld
S3 WAS;Windows Process Activation Service;C:\Windows\system32\svchost.exe -k iissvcs
S3 WMSvc;Web Management Service;C:\Windows\system32\inetsrv\wmsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs w3svc was
WudfServiceGroup WUDFSvc

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 15:12:00 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-08 17:43:00 C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-30 16:43:42 C:\Windows\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 08:05:20
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 8:07:29
.
--- E O F ---

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 15 November 2007 - 04:35 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 atguy125

atguy125
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 18 November 2007 - 01:30 PM

Sorry for the delay. I was out of town. I started this last night and I think it took 5 1/2 hours. When I got up this morning it was done. I hoped it would fix the problem because it did find IE worms but I just tried searching and got redirected again. What do you think is causing this. Another thing happened too Windows Security Center for Vista won't turn on. I'm wondering if the same worm is causing that too! Shawn

search1[1].htm\Script.1;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Worm.Sifiliz;;
search1[1].htm;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Archive contains infected objects;Moved.;
search[5].htm\Script.1;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Worm.Sifiliz;;
search[5].htm;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Archive contains infected objects;Moved.;
search1[3].htm\Script.1;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Worm.Sifiliz;;
search1[3].htm;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Archive contains infected objects;Moved.;
search[6].htm\Script.1;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Worm.Sifiliz;;
search[6].htm;C:\Documents and Settings\Shawn Latham\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Shawn Latham\Desktop\SmitfraudFix;Tool.Prockill;Deleted.;
restart.exe;C:\Documents and Settings\Shawn Latham\Desktop\SmitfraudFix;Tool.ShutDown.11;Deleted.;
search1[1].htm\Script.1;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine\search1[1].htm;Worm.Sifiliz;;
search1[1].htm;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
search1[3].htm\Script.1;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine\search1[3].htm;Worm.Sifiliz;;
search1[3].htm;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
search[5].htm\Script.1;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine\search[5].htm;Worm.Sifiliz;;
search[5].htm;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
search[6].htm\Script.1;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine\search[6].htm;Worm.Sifiliz;;
search[6].htm;C:\Documents and Settings\Shawn Latham\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
HoyleCard2004Setup-dm[1].exe;C:\Downloads;Adware.TryMedia;Deleted.;
Process.exe;C:\Users\Shawn Latham\Desktop\SmitfraudFix;Tool.Prockill;Invalid path to file ;
restart.exe;C:\Users\Shawn Latham\Desktop\SmitfraudFix;Tool.ShutDown.11;Invalid path to file ;
Process.exe;C:\Windows\System32\SmitfraudFix;Tool.Prockill;Deleted.;
restart.exe;C:\Windows\System32\SmitfraudFix;Tool.ShutDown.11;Deleted.;
LottoTennisChallenge_ENSetup-dm.exe;E:\My Documents;Adware.TryMedia;Deleted.;
PerfectAce-dm.exe;E:\My Documents;Adware.TryMedia;Deleted.;

#8 atguy125

atguy125
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 18 November 2007 - 01:50 PM

I decided to run hijackthis again here is the new report. The dr web report is listed on my previous post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:47 AM, on 11/18/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\rundll32.exe
E:\Program Files\Spyware Doctor\swdoctor.exe
C:\Windows\system32\FirewallControlPanel.exe
C:\Users\Shawn Latham\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {352AA77D-63B0-9C97-468C-0297B5F04A1F} - C:\Program Files\grlecrxk\jrgtxecl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "E:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax5318.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - E:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\symantec\liveupdate\LuComServer_3_2.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - e:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - e:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12247 bytes

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 18 November 2007 - 02:49 PM

Go to the Control Panel.
If you are using Windows XP's "Category View", select the Network and Internet Connections category. If you are in "Classic View", go to the next step .
Double click the Network Connections icon
Right click the Local Area Connection icon and select 'Properties'.
Highlight 'Internet Protocol (TCP/IP)' and click the 'Properties' button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

Go to Start | Run and type in cmd
Click OK.
This will open a command prompt window.
Copy and paste the following line into the window:

ipconfig /flushdns

Hit 'Enter'.
Exit the command window.

Please download Fixwareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe
Save it to your Desktop and run it by double clicking.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer, please do so.
Your system may take longer than usual to load; this is normal.
Once the Desktop loads save the text that will open (report.txt) and post it in your next reply.

Please include the report.txt along with a new HijackThis log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 07 December 2007 - 03:06 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users