Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Spambot.g And Others


  • Please log in to reply
19 replies to this topic

#1 friendlymike

friendlymike

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 22 August 2008 - 12:56 PM

I have multiple viruses on my computer that come and go after i reboot. The one that AVG tries to heal everytime i reboot is trojan spamBot.g. My computer is getting slower everyday and my internet connection intermitantly drops it's connection. I've tried Ad-aware, Spysweeper, AVG 7.5, Spy-bot SD, and Malwarebytes. Please Look at my HijackThis log and tell me what you think. One other point of info that may help is this computer was Originally infected by the UPS virus a few weeks ago. Please help I'm running out of options.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:20 PM, on 8/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\TimeClock Plus\Autoimp4.exe
C:\3apps\Catapult\3listen.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\War-ftpd\war-ftpd.exe
C:\3apps\Catapult\APPIPC.exe
C:\WINDOWS\system32\P32HELP.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Brenda MacKay\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/48768...LocalUndeclared
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Autoimp4.lnk = ?
O4 - Startup: Eagle Listener.lnk = C:\3apps\Catapult\3listen.exe
O4 - Startup: Eagle Scheduler.lnk = C:\3apps\Catapult\Sched.exe
O4 - Startup: war-ftpd.lnk = C:\Program Files\War-ftpd\war-ftpd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Scanner File Utility.lnk = ?
O4 - Global Startup: StatusView.lnk = C:\Program Files\IDP Corporation\StatusView\StatusView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103145033344
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201533136265
O17 - HKLM\System\CCS\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O20 - AppInit_DLLs: karina.dat
O20 - Winlogon Notify: bqidarf - C:\WINDOWS\SYSTEM32\bqidarf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6687 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 07 September 2008 - 01:42 PM

Hello friendlymike

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 friendlymike

friendlymike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 08 September 2008 - 02:24 PM

Here you are... Good Luck. This computer and myself appreciate all your help in advance.

info.txt logfile of random's system information tool 2008-09-08 15:11:36

Uninstall list

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
AT&T Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\Ymmapi.dll
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5-->C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Broadcom Gigabit Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Do it Best Info-Plus Catalog-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\DoitBest\Uninst.isu"
Do it Best ODBC 2003-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DEC76A-4FF4-11D7-89BB-00105A5D5431}\SETUP.EXE" -l0x9 DOITUNINSTALL
Eagle for Windows-->C:\3apps\Catapult\UNE4W.EXE C:\3apps\UNE4W.LOG
FTDI USB Serial Converter Drivers-->C:\WINDOWS\system32\ftdiunin.exe C:\WINDOWS\system32\ftdiun2k.ini
HijackThis 2.0.2-->"C:\Documents and Settings\Brenda MacKay\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kyocera Address Book for Network FAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A79B3745-665C-11D6-AF01-0010B5A02D6F}\Setup.exe" -l0x9
Kyocera Address Editor for FAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC07DD17-B5D7-4ED4-BB47-FC2ABD3A01E4}\Setup.exe" -l0x9
KyoceraMita Scanner File Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{61C79AE1-5403-4687-AC68-28BFA5EF3895}\Setup.exe" -l0x9
Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall STANDARDR /dll OSETUP.DLL
Microsoft Office Standard 2007-->MsiExec.exe /X{91120000-0012-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Palm Desktop-->MsiExec.exe /X{7DBBC522-F642-4D6C-A03F-22E49EB63437}
pdfFactory-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppinst3.exe /uninstall
Security Update for 2007 Microsoft Office System (KB951596)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E}
Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Visio 2007 (KB947590)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Sierra Utilities-->C:\Program Files\Sierra On-Line\sutil32.exe uninstall
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE" -l0x9
Spy Sweeper-->"C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
StatusView Workstation 2.3c-->C:\WINDOWS\uninst.exe -f"C:\Program Files\IDP Corporation\StatusView\DeIsL2.isu" -cC:\PROGRA~1\IDPCOR~1\STATUS~1\_ISREG32.DLL
Time and Chaos 6-->C:\PROGRA~1\CHAOSS~1\UNWISE.EXE C:\PROGRA~1\CHAOSS~1\Chaos6.log
TimeClock Plus 4.0 for Eagle-->C:\3apps\3UNTC4.EXE C:\3apps\3UNTC4.LOG
TimeClock Plus 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7E6001D-5C1E-469E-B3EB-B44411BDD04E}\setup.exe"
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb955433)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {D9806966-6AA1-4B55-9528-6748E37CEE86}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
USA98: Streets and Destinations-->C:\WINDOWS\IsUninst.exe -fC:\Sierra\USA98\Uninst.isu
War FTP Daemon-->C:\Program Files\War-ftpd\Uninstall.exe "C:\Program Files\War-ftpd\.UnInst.inf"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XM Satellite Radio-->C:\Program Files\XM Satellite Radio\uninstall.exe
Yahoo! Autosync-->MsiExec.exe /X{98B672F2-857C-4CC9-A25D-6B218077F4F6}

Hosts File

66.197.153.197 idenupdate.motorola.com
192.168.1.1 3USQLODBC # Eagle for Windows U/SQL ODBC Connection (12/20/07 23:21:38)

Security center information

AV: AVG 7.5.524

Environment variables

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


Logfile of random's system information tool (written by random/random)
Run by Brenda MacKay at 2008-09-08 15:11:14
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 123 GB (92%) free of 133 GB
Total RAM: 1022 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:35 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\TimeClock Plus\Autoimp4.exe
C:\3apps\Catapult\3listen.exe
C:\Program Files\War-ftpd\war-ftpd.exe
C:\3apps\Catapult\APPIPC.exe
C:\WINDOWS\system32\P32HELP.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Brenda MacKay\Desktop\RSIT.exe
C:\Documents and Settings\Brenda MacKay\Desktop\Brenda MacKay.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/48768...LocalUndeclared
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1396] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Autoimp4.lnk = ?
O4 - Startup: Eagle Listener.lnk = C:\3apps\Catapult\3listen.exe
O4 - Startup: Eagle Scheduler.lnk = C:\3apps\Catapult\Sched.exe
O4 - Startup: war-ftpd.lnk = C:\Program Files\War-ftpd\war-ftpd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Scanner File Utility.lnk = ?
O4 - Global Startup: StatusView.lnk = C:\Program Files\IDP Corporation\StatusView\StatusView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103145033344
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201533136265
O17 - HKLM\System\CCS\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O20 - AppInit_DLLs: karina.dat
O20 - Winlogon Notify: bqidarf - bqidarf.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6468 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\wrSpySweeper20060531194538.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-06-30 1388544]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-25 339968]
"pdfFactory Dispatcher v3"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe [2006-09-26 503808]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-07-23 579584]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"SpySweeper"=C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 5367664]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD1396"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Brenda MacKay^Start Menu^Programs^Startup^HotSync Manager.lnk]
C:\PROGRA~1\Palm\HOTSYNC.EXE [2003-04-22 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Scanner File Utility.lnk - C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
StatusView.lnk - C:\Program Files\IDP Corporation\StatusView\StatusView.exe

C:\Documents and Settings\Brenda MacKay\Start Menu\Programs\Startup
Autoimp4.lnk - C:\Program Files\TimeClock Plus\Autoimp4.exe
Eagle Listener.lnk - C:\3apps\Catapult\3listen.exe
Eagle Scheduler.lnk - C:\3apps\Catapult\Sched.exe
war-ftpd.lnk - C:\Program Files\War-ftpd\war-ftpd.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karina.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bqidarf]
bqidarf.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
C:\WINDOWS\system32\WRLogonNTF.dll [2008-01-04 219504]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Leo53.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Leo53.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\svcWRSSSDK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WebrootSpySweeperService]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\War-ftpd\war-ftpd.exe"="C:\Program Files\War-ftpd\war-ftpd.exe:*:Enabled:War FTP Daemon for Windows 9x / NT/W2000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e94d97a-58f7-11dd-89e2-00111146bb48}]
shell\AutoRun\command - F:\LaunchU3.exe -a


File associations

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

List of files/folders created in the last three months

2008-09-08 15:11:14 ----D---- C:\rsit
2008-09-08 13:44:22 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-08 12:13:38 ----D---- C:\WINDOWS\ie7updates
2008-09-08 12:12:53 ----HDC---- C:\WINDOWS\ie7
2008-09-08 12:12:42 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-09-08 12:12:24 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-09-08 11:53:05 ----A---- C:\WINDOWS\system32\ieencode.dll
2008-09-08 08:43:59 ----D---- C:\Program Files\CONEXANT
2008-09-08 08:30:10 ----A---- C:\WINDOWS\imsins.BAK
2008-09-04 15:28:02 ----D---- C:\WINDOWS\WBEM
2008-09-04 15:22:57 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-04 15:22:57 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-04 15:22:57 ----A---- C:\WINDOWS\system32\java.exe
2008-09-04 15:20:49 ----D---- C:\Program Files\Java
2008-09-04 15:20:14 ----D---- C:\Program Files\Common Files\Java
2008-09-04 15:06:17 ----D---- C:\Program Files\CCleaner
2008-09-03 15:08:40 ----D---- C:\Avenger
2008-09-03 15:08:39 ----A---- C:\avenger.txt
2008-09-03 15:05:28 ----D---- C:\Program Files\Unlocker
2008-09-02 22:19:20 ----A---- C:\WINDOWS\system32\91.tmp
2008-09-02 22:17:48 ----A---- C:\WINDOWS\system32\8B.tmp
2008-09-02 07:25:29 ----A---- C:\WINDOWS\wininit.ini
2008-09-01 21:08:56 ----HD---- C:\WINDOWS\PIF
2008-08-22 10:35:22 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-08-22 10:35:22 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 09:50:31 ----D---- C:\Program Files\Lavasoft
2008-08-22 09:50:30 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-22 09:50:09 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 08:36:12 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 03:06:24 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-08-20 15:18:06 ----D---- C:\Program Files\War-ftpd
2008-08-14 03:03:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-14 03:03:31 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-14 03:03:23 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-14 03:02:50 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-14 03:01:38 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-14 03:01:26 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-14 03:01:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-14 03:01:00 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-09 03:00:43 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-08-08 17:14:24 ----D---- C:\WINDOWS\Prefetch
2008-08-08 15:40:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-08-08 15:40:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-08 15:40:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-08-08 15:40:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-08-08 15:40:11 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-08-08 15:39:55 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2008-08-08 15:34:52 ----D---- C:\WINDOWS\system32\scripting
2008-08-08 15:34:51 ----D---- C:\WINDOWS\l2schemas
2008-08-08 15:34:50 ----D---- C:\WINDOWS\system32\en
2008-08-08 15:34:49 ----D---- C:\WINDOWS\system32\bits
2008-08-08 15:28:19 ----D---- C:\WINDOWS\ServicePackFiles
2008-08-08 15:22:31 ----D---- C:\WINDOWS\network diagnostic
2008-08-08 15:20:58 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-08-08 15:17:11 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-08-08 15:13:52 ----D---- C:\WINDOWS\EHome
2008-08-08 14:00:25 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-08-08 14:00:18 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-08-08 14:00:14 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-08 14:00:13 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-08-08 13:59:52 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-08-08 13:59:52 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-08-08 13:59:42 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-08-08 13:59:41 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-08-08 13:59:38 ----N---- C:\WINDOWS\system32\slserv.exe
2008-08-08 13:59:38 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-08-08 13:59:38 ----N---- C:\WINDOWS\system32\slgen.dll
2008-08-08 13:59:38 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-08-08 13:59:38 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-08-08 13:59:38 ----N---- C:\WINDOWS\slrundll.exe
2008-08-08 13:59:33 ----N---- C:\WINDOWS\system32\setupn.exe
2008-08-08 13:59:28 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-08-08 13:59:25 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-08-08 13:59:22 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-08-08 13:59:21 ----N---- C:\WINDOWS\system32\qutil.dll
2008-08-08 13:59:19 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-08-08 13:59:18 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-08-08 13:59:18 ----N---- C:\WINDOWS\system32\qagent.dll
2008-08-08 13:59:15 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-08 13:59:10 ----N---- C:\WINDOWS\system32\onex.dll
2008-08-08 13:59:04 ----N---- C:\WINDOWS\system32\nv4_disp.dll
2008-08-08 13:58:54 ----N---- C:\WINDOWS\system32\napstat.exe
2008-08-08 13:58:54 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-08-08 13:58:54 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-08-08 13:58:53 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-08-08 13:58:52 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-08-08 13:58:52 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-08-08 13:58:48 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-08-08 13:58:48 ----N---- C:\WINDOWS\system32\mssha.dll
2008-08-08 13:58:25 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-08-08 13:58:25 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-08 13:58:25 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-08-08 13:58:25 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-08 13:58:22 ----A---- C:\WINDOWS\system32\mdmxsdk.dll
2008-08-08 13:58:07 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-08-08 13:58:06 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-08-08 13:58:04 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-08-08 13:58:04 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-08-08 13:58:04 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-08-08 13:58:04 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-08-08 13:57:47 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-08-08 13:57:36 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-08-08 13:57:36 ----A---- C:\WINDOWS\002942_.tmp
2008-08-08 13:57:33 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-08-08 13:57:33 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-08-08 13:57:33 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-08-08 13:57:33 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-08-08 13:57:33 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-08-08 13:57:32 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-08-08 13:57:32 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-08-08 13:57:32 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-08-08 13:57:26 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-08-08 13:57:26 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-08-08 13:57:26 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-08-08 13:57:26 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-08-08 13:57:25 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-08 13:57:25 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-08-08 13:57:25 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-08-08 13:57:22 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-08-08 13:57:22 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-08-08 13:57:21 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-08-08 13:57:16 ----N---- C:\WINDOWS\system32\credssp.dll
2008-08-08 13:57:06 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-08-08 13:57:05 ----N---- C:\WINDOWS\system32\azroles.dll
2008-08-08 13:57:03 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-08-08 13:57:02 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-08-08 13:57:02 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-08-08 13:56:48 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-08-05 20:57:32 ----D---- C:\Documents and Settings\Brenda MacKay\Application Data\Google
2008-08-05 20:57:23 ----D---- C:\Program Files\Google
2008-08-05 20:57:23 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-08-05 19:44:37 ----D---- C:\Documents and Settings\Brenda MacKay\Application Data\Malwarebytes
2008-08-05 19:44:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 19:44:31 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 17:55:38 ----A---- C:\WINDOWS\system32\msdbg2.dll
2008-08-05 15:30:31 ----A---- C:\WINDOWS\system32\5193.tmp
2008-08-05 15:01:19 ----A---- C:\WINDOWS\system32\4BCD.tmp
2008-08-05 14:57:48 ----A---- C:\WINDOWS\system32\4BB5.tmp
2008-08-05 12:57:35 ----A---- C:\WINDOWS\system32\F2F.tmp
2008-08-05 12:57:24 ----A---- C:\WINDOWS\system32\F04.tmp
2008-08-05 12:57:04 ----A---- C:\WINDOWS\system32\EC7.tmp
2008-07-23 17:19:39 ----RHD---- C:\$VAULT$.AVG
2008-07-23 16:38:59 ----AD---- C:\Documents and Settings\Brenda MacKay\Application Data\AVG7
2008-07-23 16:38:44 ----D---- C:\Program Files\Grisoft
2008-07-23 16:38:44 ----D---- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-23 16:38:44 ----D---- C:\Documents and Settings\All Users\Application Data\avg7
2008-07-23 16:37:42 ----D---- C:\Documents and Settings\Brenda MacKay\Application Data\U3
2008-07-23 12:39:19 ----A---- C:\WINDOWS\system32\MRT.INI
2008-07-09 03:00:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-06-20 03:00:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
2008-06-12 11:27:44 ----A---- C:\WINDOWS\system32\nlsdl.dll
2008-06-12 11:27:42 ----A---- C:\WINDOWS\system32\normaliz.dll
2008-06-12 11:27:42 ----A---- C:\WINDOWS\system32\idndl.dll
2008-06-11 10:04:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951698_0$
2008-06-11 10:04:27 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$
2008-06-11 10:04:15 ----HDC---- C:\WINDOWS\$NtUninstallKB950759_0$
2008-06-11 10:04:08 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2008-06-11 10:04:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951376_0$
2008-06-10 09:34:03 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe

List of drivers

R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\system32\System32\Drivers\avg7core.sys []
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\system32\System32\Drivers\avg7rsw.sys []
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\system32\System32\Drivers\avg7rsxp.sys []
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\system32\System32\Drivers\avgclean.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 OMCI;OMCI; C:\WINDOWS\system32\SYSTEM32\DRIVERS\OMCI.SYS []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-04-29 186112]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-04-26 381056]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-08-13 258368]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter; C:\WINDOWS\System32\Drivers\sskbfd.sys [2008-01-04 23920]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 FTDIBUS;USB Serial Converter Driver; C:\WINDOWS\system32\drivers\ftdibus.sys [2002-04-03 18102]
S3 FTSER2K;USB Serial Port Driver; C:\WINDOWS\system32\drivers\ftser2k.sys [2002-04-03 49457]
S3 tcpsr;tcpsr; \??\C:\WINDOWS\System32\drivers\tcpsr.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\system32\DRIVERS\sr.sys []

List of services

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-08-22 611664]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2008-07-23 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2008-07-23 49664]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine; C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [2008-01-04 3572592]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-08-25 516096]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 08 September 2008 - 08:00 PM

You are welcome :thumbsup:

PLease for now uninstall SOybot as it will get in the way of removing malware you can re--install it after we are done.
Thanks.

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Click Browser Add-Ons and uncheck all items.
  • Exit Spysweeper.
==================
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
You can use the download for Service Pack 2.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 friendlymike

friendlymike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 09 September 2008 - 08:15 AM

Hello Kahdah, Here is my combofix log file. spybot poped up after the reboot and wanted me to allow or deny spysweeper and a few other files I allowed the ones I thought were ok and deny the ones I didn't know. I hope i did the right thing. I must not have turned it off properly. I'll be waiting anxiously turn here what you have to say. Good luck!

ComboFix 08-09-05.10 - Brenda MacKay 2008-09-09 8:53:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.664 [GMT -4:00]
Running from: C:\Documents and Settings\Brenda MacKay\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Leo53.sys
C:\WINDOWS\system32\drivers\tcpsr.sys
C:\WINDOWS\system32\setup.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LEO53
-------\Service_Leo53
-------\Service_tcpsr


((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-09 08:34 . 2008-09-09 08:34 21,504 --a------ C:\WINDOWS\system32\bqidarf32.dll
2008-09-09 08:09 . 2008-09-09 08:09 21,504 --a------ C:\WINDOWS\system32\bqidarf.dll
2008-09-08 15:11 . 2008-09-08 15:11 <DIR> d-------- C:\rsit
2008-09-08 12:10 . 2008-06-23 12:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-08 12:10 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-08 12:10 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-08 12:10 . 2008-06-23 12:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-08 12:10 . 2008-06-23 12:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-08 12:10 . 2008-06-23 12:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-08 12:10 . 2008-06-23 12:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-08 12:10 . 2008-06-23 12:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-08 12:10 . 2008-06-23 05:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-08 11:53 . 2008-04-13 20:11 81,920 --a------ C:\WINDOWS\system32\ieencode.dll
2008-09-08 08:53 . 2008-09-08 08:53 552 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-09-08 08:44 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-09-08 08:44 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-09-08 08:43 . 2008-09-08 08:43 <DIR> d-------- C:\Program Files\CONEXANT
2008-09-08 08:30 . 2008-09-08 12:14 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-04 15:35 . 2008-09-04 15:35 <DIR> d--hs---- C:\Documents and Settings\Brenda MacKay\PrivacIE
2008-09-04 15:22 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-04 15:20 . 2008-09-04 15:22 <DIR> d-------- C:\Program Files\Java
2008-09-04 15:20 . 2008-09-04 15:20 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-04 15:06 . 2008-09-04 15:06 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 15:05 . 2008-09-03 20:54 <DIR> d-------- C:\Program Files\Unlocker
2008-09-02 22:19 . 2008-09-02 22:19 0 --a------ C:\WINDOWS\system32\91.tmp
2008-09-02 22:17 . 2008-09-02 22:17 0 --a------ C:\WINDOWS\system32\8B.tmp
2008-09-02 07:25 . 2008-09-03 22:28 1,293 --a------ C:\WINDOWS\wininit.ini
2008-09-01 21:08 . 2008-09-01 21:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-22 10:35 . 2008-08-22 10:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-22 10:35 . 2008-09-08 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 09:50 . 2008-08-22 09:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-22 09:50 . 2008-08-22 09:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 09:50 . 2008-08-22 09:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-22 08:36 . 2008-09-08 08:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 15:18 . 2008-09-09 08:51 <DIR> d-------- C:\Program Files\War-ftpd
2008-08-13 22:12 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 22:12 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-05 13:42 --------- d-----w C:\Program Files\Google
2008-09-03 14:43 --------- d-----w C:\Program Files\TimeClock Plus
2008-09-03 13:52 --------- d-----w C:\Program Files\Windows Desktop Search
2008-09-02 18:54 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 04:16 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-30 16:31 --------- d---a-w C:\Documents and Settings\Brenda MacKay\Application Data\AVG7
2008-08-14 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-06 01:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-05 23:44 --------- d-----w C:\Documents and Settings\Brenda MacKay\Application Data\Malwarebytes
2008-08-05 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 20:48 --------- d-----w C:\Documents and Settings\Brenda MacKay\Application Data\U3
2008-07-23 20:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-23 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-23 16:40 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-21 21:24 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD1396"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"pdfFactory Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2006-09-26 503808]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-23 579584]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"lphcnujj0eed5"="C:\WINDOWS\system32\lphcnujj0eed5.exe" [2008-09-09 203776]
"inrhcjujj0eed5"="C:\WINDOWS\temp\.ttE.tmp.exe" [2008-09-09 1613529]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-07-23 219136]

C:\Documents and Settings\Brenda MacKay\Start Menu\Programs\Startup\
Autoimp4.lnk - C:\Program Files\TimeClock Plus\Autoimp4.exe [2004-12-15 262144]
Eagle Listener.lnk - C:\3apps\Catapult\3listen.exe [2004-12-18 552960]
Eagle Scheduler.lnk - C:\3apps\Catapult\Sched.exe [2004-12-18 339968]
war-ftpd.lnk - C:\Program Files\War-ftpd\war-ftpd.exe [2008-08-20 626688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]
Scanner File Utility.lnk - C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe [2006-10-31 311296]
StatusView.lnk - C:\Program Files\IDP Corporation\StatusView\StatusView.exe [2004-12-15 1368064]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqidarf]
2008-09-09 08:34 21504 C:\WINDOWS\system32\bqidarf32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Leo53.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Brenda MacKay^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Brenda MacKay\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\War-ftpd\\war-ftpd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e94d97a-58f7-11dd-89e2-00111146bb48}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.weather.com/weather/local/48768?lswe=48768&lwsa=WeatherLocalUndeclared
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GZEZ
R0 -: HKLM-Main,Search Bar =
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 08:56:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\bqidarf32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\3apps\Catapult\APPIPC.exe
C:\WINDOWS\system32\P32help.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\temp\lbjA.tmp
C:\WINDOWS\temp\.ttE.tmp
.
**************************************************************************
.
Completion time: 2008-09-09 8:58:24 - machine was rebooted [Brenda MacKay]
ComboFix-quarantined-files.txt 2008-09-09 12:58:19

Pre-Run: 128,456,712,192 bytes free
Post-Run: 128,527,974,400 bytes free

182 --- E O F --- 2008-09-09 11:34:18

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 09 September 2008 - 09:42 AM

Hi please uninstall Spybot first it will interfere with what we are doing you can re-install it when we are done.

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/164834/infected-with-trojan-spambotg-and-others/?p=939237

Collect::
C:\WINDOWS\system32\bqidarf32.dll
C:\WINDOWS\system32\bqidarf.dll
C:\WINDOWS\system32\91.tmp
C:\WINDOWS\system32\8B.tmp
C:\WINDOWS\system32\lphcnujj0eed5.exe
C:\WINDOWS\temp\.ttE.tmp.exe
C:\WINDOWS\temp\lbjA.tmp
C:\WINDOWS\temp\.ttE.tmp


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphcnujj0eed5"=-
"inrhcjujj0eed5"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqidarf]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Leo53.sys]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e94d97a-58f7-11dd-89e2-00111146bb48}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 friendlymike

friendlymike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 09 September 2008 - 01:58 PM

Kahdah,
Sorry I didn't follow your instructions the first time. Here is a copy of my last log file after unistalling spybot SD.

ComboFix 08-09-05.12 - Brenda MacKay 2008-09-09 14:46:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.655 [GMT -4:00]
Running from: C:\Documents and Settings\Brenda MacKay\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brenda MacKay\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-09 08:34 . 2008-09-09 08:34 21,504 --a------ C:\WINDOWS\system32\bqidarf32.dll
2008-09-09 08:09 . 2008-09-09 08:09 21,504 --a------ C:\WINDOWS\system32\bqidarf.dll
2008-09-08 15:11 . 2008-09-08 15:11 <DIR> d-------- C:\rsit
2008-09-08 12:10 . 2008-06-23 12:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-08 12:10 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-08 12:10 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-08 12:10 . 2008-06-23 12:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-08 12:10 . 2008-06-23 12:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-08 12:10 . 2008-06-23 12:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-08 12:10 . 2008-06-23 12:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-08 12:10 . 2008-06-23 12:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-08 12:10 . 2008-06-23 05:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-08 11:53 . 2008-04-13 20:11 81,920 --a------ C:\WINDOWS\system32\ieencode.dll
2008-09-08 08:53 . 2008-09-08 08:53 552 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-09-08 08:44 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-09-08 08:44 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-09-08 08:43 . 2008-09-08 08:43 <DIR> d-------- C:\Program Files\CONEXANT
2008-09-08 08:30 . 2008-09-08 12:14 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-04 15:35 . 2008-09-04 15:35 <DIR> d--hs---- C:\Documents and Settings\Brenda MacKay\PrivacIE
2008-09-04 15:22 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-04 15:20 . 2008-09-04 15:22 <DIR> d-------- C:\Program Files\Java
2008-09-04 15:20 . 2008-09-04 15:20 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-04 15:06 . 2008-09-04 15:06 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 15:05 . 2008-09-03 20:54 <DIR> d-------- C:\Program Files\Unlocker
2008-09-02 22:19 . 2008-09-02 22:19 0 --a------ C:\WINDOWS\system32\91.tmp
2008-09-02 22:17 . 2008-09-02 22:17 0 --a------ C:\WINDOWS\system32\8B.tmp
2008-09-02 07:25 . 2008-09-03 22:28 1,293 --a------ C:\WINDOWS\wininit.ini
2008-09-01 21:08 . 2008-09-01 21:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-22 10:35 . 2008-09-09 14:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-22 10:35 . 2008-09-09 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 09:50 . 2008-08-22 09:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-22 09:50 . 2008-08-22 09:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 09:50 . 2008-08-22 09:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-22 08:36 . 2008-09-08 08:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 15:18 . 2008-09-09 14:46 <DIR> d-------- C:\Program Files\War-ftpd
2008-08-13 22:12 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 22:12 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-05 13:42 --------- d-----w C:\Program Files\Google
2008-09-03 14:43 --------- d-----w C:\Program Files\TimeClock Plus
2008-09-03 13:52 --------- d-----w C:\Program Files\Windows Desktop Search
2008-09-02 18:54 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 04:16 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-30 16:31 --------- d---a-w C:\Documents and Settings\Brenda MacKay\Application Data\AVG7
2008-08-14 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-06 01:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-05 23:44 --------- d-----w C:\Documents and Settings\Brenda MacKay\Application Data\Malwarebytes
2008-08-05 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 21:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-23 20:48 --------- d-----w C:\Documents and Settings\Brenda MacKay\Application Data\U3
2008-07-23 20:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-23 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-23 16:40 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-12 15:27 26,144 ----a-w C:\WINDOWS\system32\spupdsvc.exe
2008-06-12 15:27 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
2008-06-12 15:27 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
2008-06-12 15:27 23,552 ----a-w C:\WINDOWS\system32\normaliz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"pdfFactory Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2006-09-26 503808]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-23 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-07-23 219136]

C:\Documents and Settings\Brenda MacKay\Start Menu\Programs\Startup\
Autoimp4.lnk - C:\Program Files\TimeClock Plus\Autoimp4.exe [2004-12-15 262144]
Eagle Listener.lnk - C:\3apps\Catapult\3listen.exe [2004-12-18 552960]
Eagle Scheduler.lnk - C:\3apps\Catapult\Sched.exe [2004-12-18 339968]
war-ftpd.lnk - C:\Program Files\War-ftpd\war-ftpd.exe [2008-08-20 626688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]
Scanner File Utility.lnk - C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe [2006-10-31 311296]
StatusView.lnk - C:\Program Files\IDP Corporation\StatusView\StatusView.exe [2004-12-15 1368064]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqidarf]
2008-09-09 08:34 21504 C:\WINDOWS\system32\bqidarf32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Brenda MacKay^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Brenda MacKay\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\War-ftpd\\war-ftpd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e94d97a-58f7-11dd-89e2-00111146bb48}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 14:47:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\bqidarf32.dll
.
Completion time: 2008-09-09 14:47:45
ComboFix-quarantined-files.txt 2008-09-09 18:47:42
ComboFix2.txt 2008-09-09 18:36:18
ComboFix3.txt 2008-09-09 12:58:25

Pre-Run: 128,526,266,368 bytes free
Post-Run: 128,517,988,352 bytes free

160 --- E O F --- 2008-09-09 11:34:18

Thanks again,
Friendlymike

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 09 September 2008 - 08:29 PM

No problem
=======
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\bqidarf32.dll
    C:\WINDOWS\system32\bqidarf.dll
    C:\WINDOWS\system32\91.tmp
    C:\WINDOWS\system32\8B.tmp
    HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage
    HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqidarf
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e94d97a-58f7-11dd-89e2-00111146bb48}
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
Post that log and a new Hijackthis log and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 friendlymike

friendlymike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 10 September 2008 - 07:32 AM

Kahdah,
I ran OTMoveIT2 as instructed the log file is posted below. A few concerns you should know about. This morning prior to running OTMoveIt2. windows had a warning on my computer that Malicious Software Removal Tool removed a trojandownloader: Win32\Renos.Gen!AZ. Here is a link about it and my wallpaper looks exactly like it even after a reboot from OTMoveIt2. http://www.microsoft.com/security/portal/E...enos.gen!AQ. I'll be waiting for your next reply. I WANT TO BEAT THIS THING.



File/Folder C:\WINDOWS\system32\bqidarf32.dll not found.
File/Folder C:\WINDOWS\system32\bqidarf.dll not found.
C:\WINDOWS\system32\91.tmp moved successfully.
C:\WINDOWS\system32\8B.tmp moved successfully.
< HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage deleted successfully.
< HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqidarf >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqidarf\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e94d97a-58f7-11dd-89e2-00111146bb48} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e94d97a-58f7-11dd-89e2-00111146bb48}\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09102008_080421


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:01 AM, on 9/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\TimeClock Plus\Autoimp4.exe
C:\3apps\Catapult\3listen.exe
C:\Program Files\War-ftpd\war-ftpd.exe
C:\3apps\Catapult\APPIPC.exe
C:\WINDOWS\system32\P32HELP.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Brenda MacKay\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/48768...LocalUndeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Autoimp4.lnk = ?
O4 - Startup: Eagle Listener.lnk = C:\3apps\Catapult\3listen.exe
O4 - Startup: Eagle Scheduler.lnk = C:\3apps\Catapult\Sched.exe
O4 - Startup: war-ftpd.lnk = C:\Program Files\War-ftpd\war-ftpd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Scanner File Utility.lnk = ?
O4 - Global Startup: StatusView.lnk = C:\Program Files\IDP Corporation\StatusView\StatusView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103145033344
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201533136265
O17 - HKLM\System\CCS\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{254C845D-0E1D-4BFA-9182-71E6190B85BF}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5554 bytes

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 10 September 2008 - 09:35 AM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 friendlymike

friendlymike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 10 September 2008 - 12:52 PM

Kahdah,
Here's my last log file after running Kaspersky Online scanner.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 10, 2008 13:23:35
Records in database: 1207106
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 39953
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:35:45


File name / Threat name / Threats count
C:\Documents and Settings\Brenda MacKay\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan-Spy.HTML.Bayfraud.hn 2

The selected area was scanned.

Let me know what what to do next. THANKS!
Friendlymike

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 10 September 2008 - 06:42 PM

I would delete your archived e-mails in that bacckup that wa reported as infected by kaspersky.

I would like for you to do the following:
  • Launch Malwarebytes' Anti-Malware, then click Update, then Check for updates.
  • If an update is found, it will download and install the latest version.
  • Then go back to the scanner tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 friendlymike

friendlymike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 11 September 2008 - 08:06 AM

Kadah,
How do I delete the archived emails? Will I loose all my emails in the inbox, junk folder, deleted, if I right click on the archive.pst file and delete. Should I just remove the deleted items in outlook? I have some emails in my deleted folder that I need to save. Should I move them somewhere before I delete the pst file. I am using outlook 2007. Please advise- I'm not sure what to do and don't want to mess it up. I think were getting close.....

friendlymike

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 12 September 2008 - 04:37 AM

Hi can you tell me if there is a Archive option under your inbox?
Or somewhere under your tree of All MAil items?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 friendlymike

friendlymike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 12 September 2008 - 08:21 AM

HI Kahdah,
There is an archive folder with inbox , deleted, outbox, sent, and search under the ALL Mail Section. Should I l delete those emails here? Please advise.

Friendlymike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users