Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Dell Smitfraud- Hijackthis And Other Logs


  • This topic is locked This topic is locked
16 replies to this topic

#1 RShea

RShea

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 09 April 2008 - 04:08 PM

I've got an infected Dell running Windows XP Home. Can't get to many sites on the internet in either Intenet Explorer or Firefox. Scanned system with Anti-Virus software (reported ZLob, Smitfraud, Various online virus virus scanners (Drantivirus) and PCprivacy junk, and a number of others like AskPbar), ran the Smitfraudfix and remsmit for both user profiles on the system in safemode, did a scan with Spybot Search and Destroy which removed a number of items and is now showing clean. Don't have the system restore CD, so if this does not work then I may have to try and get one for the system. I had turned off the system restore and probably need to do it again.

I've done as much software removal through add-remove programs so the list looks pretty clean right now. But Windows Updates do not work, can't get to many on line virus scanners or update the Bitdefender that is installed on the system. The C:\Tools folder is legitimate downloads I have placed on there for removal and repair of this system. This is for only one of the 2 profiles- nothing really needs to be saved for the profiles, can easily delete and create new ones if necessary.

Latest HiJackThis log is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:00 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Tools\SmitfraudFix\SmiUpdate.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060915
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9601 bytes




MWav scan log report has been saved but is too long to include in the thread, I've tried it as an attachment but it did not complete either. Advise if you would like it or some other scan (I can't get to a few of the online scans I usually try- Kaspersky, etc. )


As I stated Spybot Search & Destroy was also used and is reporting clean. Any other tools or reports that are needed please advise.

Edited by RShea, 09 April 2008 - 04:13 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:08 PM

Posted 11 April 2008 - 11:40 PM

Hello RShea,

Welcome to Bleeping Computer :blink:

Can you confirm that Ghost is the only Norton app running? Everything else looks good. Several unnecessary startups, but nothing malicious. :thumbsup:

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
Let me know how it's running now, please. :wacko:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 12 April 2008 - 01:18 AM

Thank you for the reply.

Re: Norton Ghost is the only Symantec software installed on this unit. It had a long time back the McAfee AV software.

The MWAV report does show a few items of concern, unfortunately the file scan log is pretty big as noted and I have not purchased the full paid version yet to attempt any cleaning of the registry items etc it is reporting. And even though the HiJackThis looks much better than it did, I suspect something with this system still.

I will download and install the AVG as recommended and report back any findings of it's scan.

The fact that so many web sites do not load, or even those that do are very slow has me concerned still. As noted I can't get to Windows Updates, Kaspersky, Bitdefender and a number of other web sites. The Spybot updates never completed and I had to download the manual updates and install them before the scan done with it. I have checked the hosts and lmhost files for entries, but they are clean.

I will also turn of system restore one more time. I have both ATF Cleaner and the CCleaner loaded in the tools folder and have run the ATF Cleaner a number of times on both user profiles. I will also try the safe mode as recommended.

Edited by RShea, 12 April 2008 - 01:21 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:08 PM

Posted 12 April 2008 - 11:37 AM

Hello,

I'll be waiting for the logs. :thumbsup: PLEASE leave System Restore on!! If something goes wrong, better a dirty restore point than none at all!

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 15 April 2008 - 01:17 PM

The AVG scan was pretty clean- all except 1 was cookie related and that one was listed as Adware. Couponbar with a medium rating. It was deleted. Some of the cookies were major web sites, all others that were not were deleted. Here are the full scan results:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:35:31 PM 4/15/2008

+ Scan result:



HKU\S-1-5-21-2455554510-2103155843-1835251210-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5BED3930-2E9E-76D8-BACC-80DF2188D455} -> Adware.CouponBar : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@blockbuster.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tippy\Cookies\tippy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Tippy\Cookies\tippy@search.msn[1].txt -> TrackingCookie.Msn : Ignored.
C:\Documents and Settings\Sexy\Cookies\sexy@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@realguide.real[2].txt -> TrackingCookie.Real : Ignored.
C:\Documents and Settings\Sexy\Cookies\sexy@realmedia[2].txt -> TrackingCookie.Realmedia : Ignored.
C:\Documents and Settings\Sexy\Cookies\sexy@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@www.safer-networking[1].txt -> TrackingCookie.Safer-networking : Ignored.
C:\Documents and Settings\Tippy\Cookies\tippy@www.safer-networking[1].txt -> TrackingCookie.Safer-networking : Ignored.
C:\Documents and Settings\Sexy\Cookies\sexy@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@try.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Sexy\Cookies\sexy@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:08 PM

Posted 15 April 2008 - 01:43 PM

Hello,

If you still have the feeling something isn't right, then let's run something more likely to find the bad stuff that might be lurking :

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea

Edited by teacup61, 15 April 2008 - 01:44 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 15 April 2008 - 02:02 PM

I will try these 2 also. Thank you for the quick reply to the thread and the time spent....

I will also run another HiJack This log also and it still had one McAfee entry (McAfee came bundled on the system most likely but was not installed on the drive anywhere.)

I will report back - also plan on running a few Rootkit scans as the system will connect to the internet browse some pages but not all of them- especially most every security related page. The Updates not working for AV, Spybot etc. has me leading to issues still on this system.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:08 PM

Posted 15 April 2008 - 02:08 PM

Hello,

You're most welcome. :thumbsup: Yes, please do post back with the MBAM report. :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 15 April 2008 - 04:32 PM

Well,

I may be onto something here with a pattern. I downloaded the file on another system (as I have with all the tools I've tried) and burned it to CDR. Loaded it up and the setup as you stated wanted to go out to the site for updates. It reported something like 487KB of updates and started the download - 37KB into it there was no network traffic again on this download site.

As last resort I tried a USB network card instead of the network card on the Dell motherboard. Got a new IP address under this connection and now the Spybot updates are completing, AV updates working now as I type this, and so the issue could have been this is now a clean PC but a flakey network on board. That would explain the first page coming up (Google, MSN, etc. that were tried) but any further pages would not load. The updates would start get 1 or 2 percent into the download and quit working also.

I will post and advise after some more testing if this in fact is now only a hardware issue and the system in fact is clean.

Thanks for the assistance so far on this one....

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:08 PM

Posted 15 April 2008 - 07:49 PM

You know, I find that excellent news. Rather than chasing after something that might or might not be there........I know it has to relieve you too. :thumbsup:

Keep me posted. :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 15 April 2008 - 08:49 PM

Now that the network connection seems more reliable, I got the updates applied to the various tools.
Spybot again with the last of the updates for the Rootkit files reports clean also.

Here is the MBAM log, I do not have a new HiJack This log (still getting all the Windows Updates downloaded and installed) so the Internet Explorer browser can't be closed until those are finished.
As soon as that is completed I will post a new HiJack This scan log.

MBAM report:

Malwarebytes' Anti-Malware 1.11
Database version: 633

Scan type: Full Scan (C:\|)
Objects scanned: 80750
Time elapsed: 35 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook (Adware.Softomate) -> No action taken.
HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook.1 (Adware.Softomate) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Softomate) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.Softomate) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.Softomate) -> No action taken.
HKEY_CLASSES_ROOT\.exe\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\.lnk\ShellEx\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Secure Delete (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.
HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{b33de756-deee-4d7a-87db-1d905ba2aa21} (Rogue.Multiple) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Tippy\Application Data\antispywaresuite (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> No action taken.
C:\Documents and Settings\Sexy\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> No action taken.
C:\Documents and Settings\Sexy\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> No action taken.

Files Infected:
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\avtasks.dat (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\PGE.dat (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs\av.log (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs\ga6Support.log (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs\update.log (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Tippy\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> No action taken.
C:\Documents and Settings\Sexy\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> No action taken.

Edited by RShea, 15 April 2008 - 08:53 PM.


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:08 PM

Posted 15 April 2008 - 10:00 PM

Hello,

Those say no action taken....please run it again and let the program clean them. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 16 April 2008 - 10:45 AM

I was not sure if the download was to scan only or if it offered cleaning and removal without purchase, so was awaiting instruction with the results provided.

I have rescanned and selected the remove/clean option. Here is a report of the results with the removal actions and a new HiJack This log.

Malwarebytes' Anti-Malware 1.11
Database version: 633

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 82768
Time elapsed: 32 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook.1 (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.lnk\ShellEx\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Secure Delete (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{b33de756-deee-4d7a-87db-1d905ba2aa21} (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Tippy\Application Data\antispywaresuite (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sexy\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sexy\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\avtasks.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\PGE.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs\av.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs\ga6Support.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\antispywaresuite\Logs\update.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tippy\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sexy\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

and a new HiJack This Log after the cleaning.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:34 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060915
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\PrevxCSI.exe" /bootupreg
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8617 bytes


We should be getting pretty close to resolving this.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:08 PM

Posted 16 April 2008 - 11:05 AM

Hello,

I would never ask you to download anything you have to pay for. :thumbsup:

I don't see anything out of the way in that log.......how is it running now? :blink:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 RShea

RShea
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 16 April 2008 - 11:33 AM

I removed and reinstalled the onboard network card drivers and as part of the Windows Updates there were newer ones available. I am testing that now, but much more responsive. I'll advise after a few more tests and let you know if we can close out this thread...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users