Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why Won't This Virus Go Away?


  • This topic is locked This topic is locked
28 replies to this topic

#1 lkbroom

lkbroom

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 04 December 2007 - 12:59 AM

I have ran several different anti-virus/anti-spyware programs but the same thing keeps coming back. Ad-aware identified win32.trojandownloader.obfuscated and deleted it, but when I ran the scan again it was still there. I've also noticed some strange processes running on my computer and the CPU usage is much higher than normal. I've posted my HJT logs below. Please help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:20 PM, on 12/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164688066171
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6066\SAService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5563 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:04 AM

Posted 04 December 2007 - 02:04 AM

Hello lkbroom,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 lkbroom

lkbroom
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 05 December 2007 - 01:16 AM

Here is the combofix log:

ComboFix 07-12-04.3 - LinsiKay 2007-12-04 23:52:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.240 [GMT -6:00]
Running from: C:\Documents and Settings\LinsiKay\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\cxexmxqt.dll
C:\Documents and Settings\LinsiKay\My Documents\RACLE~1
C:\Documents and Settings\LinsiKay\My Documents\RACLE~1\m?iexec.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\pppatc~1
C:\Program Files\SecCenter
C:\Program Files\WinBudget
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\tn3
C:\WINDOWS\system32\artsbyra.dll
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\d1
C:\WINDOWS\SYSTEM32\dcbeg.ini
C:\WINDOWS\SYSTEM32\dcbeg.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebywuv.dll
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\khfffed.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{27B6F2FF-A907-40B0-BB5E-269E9D9EF93B}.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\SYSTEM32\utstv.bak1
C:\WINDOWS\SYSTEM32\utstv.ini
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\yayywtq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FAD


((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-03 21:28 . 2007-12-03 21:13 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-03 21:12 . 2007-12-03 21:30 <DIR> d-------- C:\Documents and Settings\LinsiKay\.housecall6.6
2007-12-03 05:54 . 2007-12-03 05:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-03 05:51 . 2007-12-03 05:51 <DIR> d-------- C:\Program Files\Webroot
2007-12-03 05:51 . 2007-12-03 05:51 <DIR> d-------- C:\Documents and Settings\LinsiKay\Application Data\Webroot
2007-12-03 05:51 . 2007-12-03 05:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-03 05:51 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-03 05:51 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-12-03 05:51 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-12-03 05:51 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-12-03 05:51 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys
2007-12-02 09:34 . 2007-12-02 09:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-02 09:34 . 2007-12-02 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 09:33 . 2007-12-02 09:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 09:25 . 2007-12-02 09:25 <DIR> d-------- C:\Documents and Settings\LinsiKay\Application Data\SiteAdvisor
2007-12-02 09:24 . 2007-12-02 09:24 11,508 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2007-12-02 08:46 . 2007-12-02 08:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 23:18 . 2007-12-03 23:22 <DIR> d-------- C:\Program Files\McAfee
2007-11-28 23:18 . 2007-12-03 23:22 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-28 22:16 . 2007-11-28 22:16 2,238 --a------ C:\WINDOWS\SYSTEM32\ClickToFindandFixErrors_US.ico
2007-11-28 22:13 . 2007-11-28 22:13 123 --a------ C:\Documents and Settings\LinsiKay\mit.bat
2007-11-28 22:12 . 2007-12-03 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\skjlrsjp
2007-11-28 22:12 . 2007-12-03 23:20 <DIR> d-------- C:\Program Files\Iselcswj
2007-11-28 22:12 . 2007-11-28 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-28 22:11 . 2007-12-03 22:04 <DIR> d-------- C:\Program Files\qhqlkvct
2007-11-28 22:11 . 2007-11-28 22:12 1,149,472 --a------ C:\Install
2007-11-28 22:10 . 2007-12-03 06:23 <DIR> d--hs---- C:\WINDOWS\TGluc2lLYXk
2007-11-28 22:09 . 2007-12-04 23:57 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-04 05:21 --------- d-----w C:\Program Files\Viewpoint
2007-12-04 05:04 --------- d-----w C:\Program Files\PopCap Games
2007-12-04 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-04 04:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 04:49 --------- d-----w C:\Program Files\IrfanView
2007-12-04 04:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-29 05:32 --------- d-----w C:\Program Files\GameHouse
2007-11-17 22:07 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-11-14 05:41 --------- d-----w C:\Documents and Settings\LinsiKay\Application Data\U3
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2007-01-15 16:18 830,513 --sh--w C:\WINDOWS\SECURITY\cdoalau.bak1
2007-01-15 16:21 831,372 --sh--w C:\WINDOWS\SECURITY\cdoalau.bak2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 327,680 2003-05-22 22:15:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 151,597 2004-01-15 15:16:21 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 155,648 2003-02-13 07:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 54,296 2003-12-02 21:11:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 58,392 2003-12-02 21:11:12 C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe

----a-w 208,560 2002-11-01 22:47:36 C:\Program Files\Dell\AccessDirect\bak\dadapp.exe

----a-w 204,800 2003-09-23 17:23:24 C:\Program Files\Dell\Media Experience\bak\PCMService.exe

----a-r 368,640 2003-06-20 20:18:22 C:\Program Files\Dell\QuickSet\bak\quickset.exe

----a-w 306,688 2004-07-19 13:51:24 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 86,102 2002-12-03 17:29:02 C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe

----a-w 53,248 2003-10-06 16:05:40 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

----a-w 118,784 2003-10-06 16:05:40 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 77,824 2004-01-15 15:14:45 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-12-07 16:13:30 C:\Program Files\QuickTime\qttask.exe

----a-w 53,248 2002-02-05 04:32:10 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE

----a-w 95,960 2005-07-06 18:34:44 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 610,304 2003-05-02 23:15:44 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 110,592 2003-05-02 23:21:48 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-r 94,208 2003-08-27 19:20:00 C:\WINDOWS\bak\SM1BG.EXE

----a-w 28,672 2003-08-13 16:27:40 C:\WINDOWS\SYSTEM32\bak\DSentry.exe

----a-w 122,941 2005-05-31 10:33:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37c2cee5-1b22-4662-8b42-d33aad7bfe00}]
C:\WINDOWS\System32\efycgur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F747DB2-1507-42C7-8734-459FDAD2C467}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F3EE517-0393-4378-9C15-F76C1A0D70A9}]
C:\WINDOWS\System32\vtstu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6D599B8-F14B-406F-9908-555B94AE1545}]
C:\WINDOWS\security\ualaodc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe" [2006-09-25 18:52]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" []
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

C:\Documents and Settings\LinsiKay\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-09 17:36:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winakc32]
winakc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\gebcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^LinsiKay^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\LinsiKay\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cxexmxqt]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\cxexmxqt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
C:\WINDOWS\io43mvuiw4kj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 05:17 81920 --a------ C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uqongeny]
C:\Documents and Settings\LinsiKay\My Documents\?racle\m?iexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmzufcdm]
rundll32.exe C:\Program Files\qhqlkvct\snmlidmd.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{11-10-0B-BC-ZN}]
C:\Documents and Settings\LinsiKay\Local Settings\Temp\T0CHD001.exe CHD001

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\System32\Drivers\SSFS0BB9.SYS

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 00:03:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 0:11:16
.
--- E O F ---


And here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:07 AM, on 12/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SoftwareDistribution\Download\fec3752563e444ecc6182e8b7e8bd110\update\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37c2cee5-1b22-4662-8b42-d33aad7bfe00} - C:\WINDOWS\System32\efycgur.dll (file missing)
O2 - BHO: (no name) - {3F747DB2-1507-42C7-8734-459FDAD2C467} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {9F3EE517-0393-4378-9C15-F76C1A0D70A9} - C:\WINDOWS\System32\vtstu.dll (file missing)
O2 - BHO: (no name) - {C6D599B8-F14B-406F-9908-555B94AE1545} - C:\WINDOWS\security\ualaodc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164688066171
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: winakc32 - winakc32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6066\SAService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6569 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:04 AM

Posted 05 December 2007 - 06:28 PM

Hello,

Ewww....more going on here than I originally thought. :thumbsup: Lots to do, and at least 4 more posts, K?

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run option 1.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {37c2cee5-1b22-4662-8b42-d33aad7bfe00} - C:\WINDOWS\System32\efycgur.dll (file missing)
O2 - BHO: (no name) - {3F747DB2-1507-42C7-8734-459FDAD2C467} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {9F3EE517-0393-4378-9C15-F76C1A0D70A9} - C:\WINDOWS\System32\vtstu.dll (file missing)
O2 - BHO: (no name) - {C6D599B8-F14B-406F-9908-555B94AE1545} - C:\WINDOWS\security\ualaodc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O20 - Winlogon Notify: winakc32 - winakc32.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Thanks,
tea

Edited by teacup61, 05 December 2007 - 06:28 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 lkbroom

lkbroom
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 06 December 2007 - 01:31 AM

ok tasks completed. I wasn't sure if you wanted me to run a new HJT log after I rebooted so I went ahead and posted it anyway.

This is the log from AWF:


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Thu 12/06/2007
The current time is: 0:12:44.48


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 01:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/19/2004 07:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

12/03/2002 11:29 AM 86,102 lxbabmgr.exe
1 File(s) 86,102 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/15/2004 09:14 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002 10:32 PM 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

07/06/2005 12:34 PM 95,960 SNDMon.exe
1 File(s) 95,960 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/13/2003 10:27 AM 28,672 DSentry.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

05/22/2003 04:15 PM 327,680 atiptaxx.exe
1 File(s) 327,680 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 03:11 PM 54,296 ccApp.exe
12/02/2003 03:11 PM 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\DELL\ACCESS~1\BAK

11/01/2002 04:47 PM 208,560 dadapp.exe
1 File(s) 208,560 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

09/23/2003 11:23 AM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

06/20/2003 02:18 PM 368,640 quickset.exe
1 File(s) 368,640 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

10/06/2003 10:05 AM 118,784 mm_tray.exe
10/06/2003 10:05 AM 53,248 mmtask.exe
2 File(s) 172,032 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/02/2003 05:15 PM 610,304 SynTPEnh.exe
05/02/2003 05:21 PM 110,592 SynTPLpr.exe
2 File(s) 720,896 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 04:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/15/2004 09:16 AM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

02/13/2003 01:01 AM 155,648 sgtray.exe
1 File(s) 155,648 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
86102 Dec 3 2002 "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
282624 Dec 7 2006 "C:\Program Files\QuickTime\qttask.exe"
77824 Jan 15 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
95960 Jul 6 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
327680 May 22 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
208560 Nov 1 2002 "C:\Program Files\Dell\AccessDirect\bak\dadapp.exe"
204800 Sep 23 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
368640 Jun 20 2003 "C:\Program Files\Dell\QuickSet\bak\quickset.exe"
53248 Feb 27 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
53248 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
135168 Feb 27 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
118784 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
610304 May 2 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
610304 May 2 2003 "C:\Program Files\Synaptics\SynTP\Media\SYNTPENH.EXE"
110592 May 2 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
110592 May 2 2003 "C:\Program Files\Synaptics\SynTP\Media\SYNTPLPR.EXE"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
151597 Jan 15 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
155648 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report


and here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:22 AM, on 12/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164688066171
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6066\SAService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5302 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:04 AM

Posted 06 December 2007 - 11:55 AM

Hello,

That's okay, thanks, but I'm not interested in HijackThis right now. We'll get rid of AWF without it. :thumbsup:

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\WINDOWS\bak\SM1BG.EXE"
"C:\Program Files\Dell Support\bak\DSAgnt.exe"
"C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
"C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\Program Files\SymNetDrv\bak\SNDMon.exe"
"C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
"C:\Program Files\Dell\AccessDirect\bak\dadapp.exe"
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
"C:\Program Files\Dell\QuickSet\bak\quickset.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Thanks,
tea

Edited by teacup61, 06 December 2007 - 11:55 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 lkbroom

lkbroom
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 06 December 2007 - 08:51 PM

Ok, here is the new FindAWF report:


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 12/06/2007
The current time is: 19:23:17.38


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 01:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/19/2004 07:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

12/03/2002 11:29 AM 86,102 lxbabmgr.exe
1 File(s) 86,102 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/15/2004 09:14 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002 10:32 PM 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

07/06/2005 12:34 PM 95,960 SNDMon.exe
1 File(s) 95,960 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/13/2003 10:27 AM 28,672 DSentry.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

05/22/2003 04:15 PM 327,680 atiptaxx.exe
1 File(s) 327,680 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 03:11 PM 54,296 ccApp.exe
12/02/2003 03:11 PM 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\DELL\ACCESS~1\BAK

11/01/2002 04:47 PM 208,560 dadapp.exe
1 File(s) 208,560 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

09/23/2003 11:23 AM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

06/20/2003 02:18 PM 368,640 quickset.exe
1 File(s) 368,640 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

10/06/2003 10:05 AM 118,784 mm_tray.exe
10/06/2003 10:05 AM 53,248 mmtask.exe
2 File(s) 172,032 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/02/2003 05:15 PM 610,304 SynTPEnh.exe
05/02/2003 05:21 PM 110,592 SynTPLpr.exe
2 File(s) 720,896 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 04:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/15/2004 09:16 AM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

02/13/2003 01:01 AM 155,648 sgtray.exe
1 File(s) 155,648 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
306688 Jul 19 2004 "C:\Program Files\Dell Support\DSAgnt.exe"
306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
86102 Dec 3 2002 "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
86102 Dec 3 2002 "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
77824 Jan 15 2004 "C:\Program Files\QuickTime\qttask.exe"
77824 Jan 15 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\REGSHAVE.EXE"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
95960 Jul 6 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
95960 Jul 6 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\DSentry.exe"
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
327680 May 22 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
327680 May 22 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
208560 Nov 1 2002 "C:\Program Files\Dell\AccessDirect\dadapp.exe"
208560 Nov 1 2002 "C:\Program Files\Dell\AccessDirect\bak\dadapp.exe"
204800 Sep 23 2003 "C:\Program Files\Dell\Media Experience\PCMService.exe"
204800 Sep 23 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
368640 Jun 20 2003 "C:\Program Files\Dell\QuickSet\quickset.exe"
368640 Jun 20 2003 "C:\Program Files\Dell\QuickSet\bak\quickset.exe"
53248 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Feb 27 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
53248 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
118784 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
135168 Feb 27 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
118784 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
610304 May 2 2003 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
610304 May 2 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
610304 May 2 2003 "C:\Program Files\Synaptics\SynTP\Media\SYNTPENH.EXE"
110592 May 2 2003 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
110592 May 2 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
110592 May 2 2003 "C:\Program Files\Synaptics\SynTP\Media\SYNTPLPR.EXE"
122941 May 31 2005 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
151597 Jan 15 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
155648 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
155648 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:04 AM

Posted 08 December 2007 - 10:53 AM

Hello,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak
C:\Program Files\Dell Support\bak
C:\Program Files\Lexmark X5100 Series\bak
C:\Program Files\QuickTime\bak
C:\Program Files\REGSHAVE\bak
C:\Program Files\SymNetDrv\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Dell\AccessDirect\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Synaptics\SynTP\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 lkbroom

lkbroom
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 08 December 2007 - 12:53 PM

Here is the new FindAWF log. Yesterday Spysweeper ran a scan and it was not able to remove Troj/Virtum-Gen. Not sure if this is relevant information or not. Also I hope the scan didn't undo anything that you have been trying to do or if thats even possible. Well anyway, thanks so much for your help. I obviously have no idea whats going on with my computer.



Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sat 12/08/2007
The current time is: 11:40:52.78


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 01:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

06/20/2003 02:18 PM 368,640 quickset.exe
1 File(s) 368,640 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
368640 Jun 20 2003 "C:\Program Files\Dell\QuickSet\quickset.exe"
368640 Jun 20 2003 "C:\Program Files\Dell\QuickSet\bak\quickset.exe"


end of report

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:04 AM

Posted 08 December 2007 - 12:58 PM

Hello,

You're doing fine, K? :thumbsup:

Let's do this one more time with option #3 :

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:


C:\Program Files\Dell\QuickSet\bak

Next, close and click Yes to save the changes.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT.

Now, please run ComboFix again and post that report in your reply, along with a new HijackThis log. How is it running now?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 lkbroom

lkbroom
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 08 December 2007 - 02:03 PM

So here are the new logs. The computer seems to be running better, not as many unexplainable processes running. Is there anything I should be on the look out for in the future? Also, do you know how this could have happened? I guess a better question is "what did happen?" I'm guessing it was some sort of virus but it felt as though it was trying to take over my computer. Do you feel it is safe enough to do things like online banking now?


ComboFix 07-12-04.3 - LinsiKay 2007-12-08 12:41:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.253 [GMT -6:00]
Running from: C:\Documents and Settings\LinsiKay\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-06 19:23 . 2003-08-27 13:20 94,208 --a------ C:\WINDOWS\SM1BG.EXE
2007-12-06 19:23 . 2003-08-13 10:27 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2007-12-06 00:12 . 2007-12-06 00:12 53,248 --a------ C:\Documents and Settings\LinsiKay\Process.exe
2007-12-06 00:12 . 2007-12-06 00:12 11,254 --a------ C:\Documents and Settings\LinsiKay\locate.com
2007-12-03 21:28 . 2007-12-03 21:13 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-03 21:12 . 2007-12-03 21:30 <DIR> d-------- C:\Documents and Settings\LinsiKay\.housecall6.6
2007-12-03 05:54 . 2007-12-03 05:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-03 05:51 . 2007-12-03 05:51 <DIR> d-------- C:\Program Files\Webroot
2007-12-03 05:51 . 2007-12-03 05:51 <DIR> d-------- C:\Documents and Settings\LinsiKay\Application Data\Webroot
2007-12-03 05:51 . 2007-12-03 05:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-03 05:51 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-03 05:51 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-12-03 05:51 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-12-03 05:51 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-12-03 05:51 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys
2007-12-02 09:34 . 2007-12-02 09:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-02 09:34 . 2007-12-02 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 09:33 . 2007-12-02 09:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 09:25 . 2007-12-02 09:25 <DIR> d-------- C:\Documents and Settings\LinsiKay\Application Data\SiteAdvisor
2007-12-02 09:24 . 2007-12-02 09:24 11,508 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2007-12-02 08:46 . 2007-12-02 08:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 23:18 . 2007-12-03 23:22 <DIR> d-------- C:\Program Files\McAfee
2007-11-28 23:18 . 2007-12-03 23:22 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-28 22:16 . 2007-11-28 22:16 2,238 --a------ C:\WINDOWS\SYSTEM32\ClickToFindandFixErrors_US.ico
2007-11-28 22:13 . 2007-11-28 22:13 123 --a------ C:\Documents and Settings\LinsiKay\mit.bat
2007-11-28 22:12 . 2007-12-03 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\skjlrsjp
2007-11-28 22:12 . 2007-12-03 23:20 <DIR> d-------- C:\Program Files\Iselcswj
2007-11-28 22:11 . 2007-12-03 22:04 <DIR> d-------- C:\Program Files\qhqlkvct
2007-11-28 22:11 . 2007-11-28 22:12 1,149,472 --a------ C:\Install
2007-11-28 22:10 . 2007-12-03 06:23 <DIR> d--hs---- C:\WINDOWS\TGluc2lLYXk
2007-11-28 22:09 . 2007-12-04 23:57 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 17:40 --------- d-----w C:\Program Files\SymNetDrv
2007-12-08 17:40 --------- d-----w C:\Program Files\REGSHAVE
2007-12-08 17:40 --------- d-----w C:\Program Files\QuickTime
2007-12-08 17:40 --------- d-----w C:\Program Files\Lexmark X5100 Series
2007-12-08 17:40 --------- d-----w C:\Program Files\Dell Support
2007-12-08 17:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-04 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-04 05:21 --------- d-----w C:\Program Files\Viewpoint
2007-12-04 05:04 --------- d-----w C:\Program Files\PopCap Games
2007-12-04 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-04 04:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 04:49 --------- d-----w C:\Program Files\IrfanView
2007-12-04 04:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-29 05:32 --------- d-----w C:\Program Files\GameHouse
2007-11-17 22:07 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-11-14 05:41 --------- d-----w C:\Documents and Settings\LinsiKay\Application Data\U3
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2007-01-15 16:18 830,513 --sh--w C:\WINDOWS\SECURITY\cdoalau.bak1
2007-01-15 16:21 831,372 --sh--w C:\WINDOWS\SECURITY\cdoalau.bak2
.

((((((((((((((((((((((((((((( snapshot@2007-12-05_ 0.03.33.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-31 10:33:00 122,941 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 10:05]
"HostManager"="C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe" [2006-09-25 18:52]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" []
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

C:\Documents and Settings\LinsiKay\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-09 17:36:15]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^LinsiKay^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\LinsiKay\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cxexmxqt]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\cxexmxqt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
C:\WINDOWS\io43mvuiw4kj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 13:20 94208 --a------ C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 05:17 81920 --a------ C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uqongeny]
C:\Documents and Settings\LinsiKay\My Documents\?racle\m?iexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmzufcdm]
rundll32.exe C:\Program Files\qhqlkvct\snmlidmd.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{11-10-0B-BC-ZN}]
C:\Documents and Settings\LinsiKay\Local Settings\Temp\T0CHD001.exe CHD001

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\System32\Drivers\SSFS0BB9.SYS

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 12:46:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-08 12:48:33
C:\ComboFix2.txt ... 2007-12-05 00:11
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:13 PM, on 12/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164688066171
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6066\SAService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5445 bytes

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:04 AM

Posted 08 December 2007 - 02:17 PM

Hello,

Could have been anything really.....but I'm going to guess you either went to a bad site, or got a bad download of something. No, don't do any banking yet, and when you do, change all your passwords just in case. Keep an eye on those accounts for a while for any nefarious activity.

Please open Notepad and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmzufcdm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uqongeny]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cxexmxqt]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In your reply, please post a new HijackThis log and let me know how it's running now. :thumbsup: We're not done yet, but we're getting there. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 lkbroom

lkbroom
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 08 December 2007 - 02:44 PM

Its running ok but the spysweeper is still finding Troj/Virtum-Gen and failing to quarantine it.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:02 PM, on 12/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1177681878\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164688066171
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6066\SAService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5367 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:04 AM

Posted 08 December 2007 - 02:53 PM

Can you please post the SpySweeper report so I can see the full path? :thumbsup:

Thank you!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 lkbroom

lkbroom
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 08 December 2007 - 03:00 PM

This is the log from the scan I ran today:




1:38 PM: ApplicationMinimized - EXIT
1:38 PM: ApplicationMinimized - ENTER
1:38 PM: Removal process completed. Elapsed time 00:00:07
1:38 PM: Quarantining All Traces: tribalfusion cookie
1:38 PM: Quarantining All Traces: trafficmp cookie
1:38 PM: Quarantining All Traces: yieldmanager cookie
1:38 PM: Quarantining All Traces: specificclick.com cookie
1:38 PM: Quarantining All Traces: apmebf cookie
1:38 PM: Quarantining All Traces: advertising cookie
1:38 PM: Quarantining All Traces: tacoda cookie
1:38 PM: Quarantining All Traces: 2o7.net cookie
1:38 PM: Quarantining All Traces: atlas dmt cookie
1:38 PM: Quarantining All Traces: atwola cookie
1:38 PM: Informational: Virus infected file c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir not cleaned.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 20 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 19 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 18 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 17 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 16 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 15 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 14 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 13 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 12 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 11 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 10 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 9 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 8 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 7 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 6 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 5 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 4 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 3 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 2 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\gebywuv.dll.vir still infected with virus Troj/Virtum-Gen after 1 round of disinfection.
1:38 PM: Informational: Virus infected file c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir not cleaned.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 20 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 19 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 18 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 17 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 16 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 15 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 14 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 13 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 12 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 11 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 10 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 9 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 8 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 7 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 6 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 5 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 4 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 3 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 2 rounds of disinfection.
1:38 PM: Informational: File c:\qoobox\quarantine\c\windows\system32\yayywtq.dll.vir still infected with virus Troj/Virtum-Gen after 1 round of disinfection.
1:38 PM: Quarantining All Traces: Troj/Virtum-Gen
1:38 PM: Removal process initiated
1:37 PM: Sweep Status: 11 Items Detected
1:37 PM: Traces Found: 45
1:37 PM: File Sweep Complete, Elapsed Time: 00:21:45
1:37 PM: Sweep Canceled
1:37 PM: ApplicationMinimized - EXIT
1:37 PM: ApplicationMinimized - ENTER
1:35 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\abfa3408d01]
1:35 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsbde3dc7a-fb35-473d-96cd-878d1bb03a76.tmp]
1:32 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscd8211dd-c254-4999-babd-027ae95d0294.tmp]
1:30 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms02b0f636-d3a7-4de3-a252-8f27db4a17e7.tmp]
1:29 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\d12f57c8d01]
1:28 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\e4d03222d01]
1:26 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\2ef0dfe5d01]
1:26 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\2ef0dfe5d01". "c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\2ef0dfe5d01": File not found
1:26 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\f256bb24d01]
1:26 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\bdbc7d20d01]
1:26 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\c7205e31d01]
1:23 PM: ApplicationMinimized - EXIT
1:23 PM: ApplicationMinimized - ENTER
1:22 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\cd1fa9cbd01]
1:20 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\d32203c0d01]
1:20 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\34734ec6d01]
1:20 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\d6e72a64d01]
1:20 PM: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\yayywtq.dll.vir (ID = 0)
1:19 PM: C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\gebywuv.dll.vir (ID = 0)
1:19 PM: Found Troj/Virtum-Gen: Troj/Virtum-Gen
1:18 PM: ApplicationMinimized - EXIT
1:18 PM: ApplicationMinimized - ENTER
1:17 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\2b6e925ed01]
1:17 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\documents and settings\linsikay\local settings\application data\mozilla\firefox\profiles\164rugbw.default\cache\4c1f3ee2d01]
1:17 PM: ApplicationMinimized - EXIT
1:17 PM: ApplicationMinimized - ENTER
1:17 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\sam]
1:16 PM: Starting File Sweep
1:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3589)
1:16 PM: Found Spy Cookie: tribalfusion cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3581)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3581)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3581)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3581)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3581)
1:16 PM: Found Spy Cookie: trafficmp cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3751)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3751)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3751)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3751)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3751)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3751)
1:16 PM: Found Spy Cookie: yieldmanager cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3400)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3400)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3400)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3400)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3400)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3399)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3399)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3399)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3399)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3399)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3399)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 3400)
1:16 PM: Found Spy Cookie: specificclick.com cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2229)
1:16 PM: Found Spy Cookie: apmebf cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2175)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2175)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2175)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2175)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2175)
1:16 PM: Found Spy Cookie: advertising cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 6444)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 6444)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 6444)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 6444)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 6444)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 6444)
1:16 PM: Found Spy Cookie: tacoda cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 1957)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 1957)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 1957)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 1957)
1:16 PM: Found Spy Cookie: 2o7.net cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2256)
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2253)
1:16 PM: Found Spy Cookie: atlas dmt cookie
1:16 PM: C:\Documents and Settings\LinsiKay\Application Data\Mozilla\Firefox\Profiles\164rugbw.default\cookies.txt (ID = 2255)
1:16 PM: Found Spy Cookie: atwola cookie
1:16 PM: Starting Cookie Sweep
1:15 PM: Registry Sweep Complete, Elapsed Time:00:00:13
1:15 PM: Starting Registry Sweep
1:15 PM: Memory Sweep Complete, Elapsed Time: 00:02:50
1:15 PM: ApplicationMinimized - EXIT
1:15 PM: ApplicationMinimized - ENTER
1:13 PM: ApplicationMinimized - EXIT
1:13 PM: ApplicationMinimized - ENTER
1:12 PM: Starting Memory Sweep
1:12 PM: Start Full Sweep
1:12 PM: Sweep initiated using definitions version 1046
12:48 PM: IE Hijack Shield: Resetting Search Page value.
Keylogger: Off
12:48: Informational: ShieldEmail: Start monitoring port 25 for mail activities
E-mail Attachment: On
12:48: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
12:48: IE Hijack Shield: Resetting Search Page value.
IE Tracking Cookies Shield: Off
12:48: Shield States
12:48: License Check Status (0): Success
12:48: Spyware Definitions: 1046
12:48: Informational: Loaded AntiVirus Engine: 2.51.0; SDK Version: 4.23E; Virus Definitions: 2007-12-07 13:07:54 (GMT)
12:46: Spy Sweeper 5.5.7.103 started
12:46: Spy Sweeper 5.5.7.103 started
12:46: | Start of Session, 2007-12-08 |
***************
11:48 AM: ApplicationMinimized - EXIT
11:48 AM: ApplicationMinimized - ENTER
11:38 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
Keylogger: Off
11:38 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:38 AM: Shield States
11:38 AM: License Check Status (0): Success
11:38 AM: Spyware Definitions: 1046
11:38 AM: Informational: Loaded AntiVirus Engine: 2.51.0; SDK Version: 4.23E; Virus Definitions: 12/7/2007 1:07:54 PM (GMT)
11:36 AM: Spy Sweeper 5.5.7.103 started
11:36 AM: Spy Sweeper 5.5.7.103 started




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users