Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My IP Keeps Getting Listed on the CBL


  • Please log in to reply
19 replies to this topic

#1 Johkr01

Johkr01

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 04 January 2009 - 07:42 PM

Hello,

I have three home computers connected to the same network:
1) Dell desktop PC hard wired to the wireless switch, running Windows XP Home Edition SP 3, CA Internet Threat Mgr, Windows Firewall enabled
2) Dell laptop, wireless, running Windows XP Home Edition SP 3, CA Internet Threat Mgr, Windows Firewall enabled.
3) Dell laptop, wireless, running Windows XP Media Center Edition SP 2, CA Internet Threat Mgr, Windows Firewall enabled.

About 2 weeks ago, I started getting notifications that I could not send email because I was being blocked by spamhaus. When I investigated, I found out my Embarq ISP-assigned IP address (......) was listed on the Composite Blocking List (CBL). The CBL identified the problem as the Ozdok/Mega-D spambot

I ran a Malwarebytes Antimalware scan on all three computers and found occurrences of Vundo Trojan on computers 1 & 2. I cleaned these and got delisted from the CBL. A few hours later I had been relisted again. I have run Malwarebytes plus the following other utilities: CA Anti-virus/antispyware scan, Microsoft Malicious Software Removal Tool, McAffee Stinger and CCleaner. They all say my three computers are clean, but I keep getting relisted. I'm not positive, but I believe it is the desktop computer that is causing the problem. If I leave this computer powered off or disconnected from the network, I can stay off the CBL for awhile, but everytime I power the desktop on or plug it into the network, I get relisted in the CBL within a few hours. Other than being listed on the CBL, I am not experiencing any other problems (no slowness, mysterious pop-ups, etc.)

Can you please help me figure out what is continuously causing me to get relisted in the CBL?

Thanks in advance for your help!!

Edited by boopme, 06 January 2009 - 12:38 PM.
Removed IP Addy~~boopme


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 AM

Posted 04 January 2009 - 08:59 PM

Have you run MBAM in normal mode for all users across all machines.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Johkr01

Johkr01
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 04 January 2009 - 11:53 PM

Hi boopme, thanks for your reply.

I had previously only run MBAM under the user account that is normally logged on to each machine. After your suggestion, I went back and ran a MBAM scan under each user account on each machine. On the Desktop machine that I suspect has the problem, I ran full scans for all user accounts, but MBAM didn't find anything. On one of the laptops, MBAM did find and correct an error under one of the alternate, rarely used accounts (see below). As you can see from the log, this error was from a Quick Scan. I went back and ran a Full scan on the same machine/account to see if MBAM would find anything else but it didn't. This is the only error MBAM found on all the machines/accounts. Do you think this could be what has been causing my problem?

Thanks again!

Malwarebytes' Anti-Malware 1.31
Database version: 1546
Windows 5.1.2600 Service Pack 3

1/4/2009 10:47:38 PM
mbam-log-2009-01-04 (22-47-38).txt

Scan type: Quick Scan
Objects scanned: 55805
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Johkr01, 05 January 2009 - 12:00 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 AM

Posted 05 January 2009 - 01:41 PM

Hello hard to say for sure unless you see the difference already. Ok. Though I would like you to run MBAM again (Update your dsatabase)on the main machine ..A quick scan in normal mode.
Then please run an SAS scan

Next:Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.

Now SAS: from safe mode,this one is long.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Johkr01

Johkr01
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 06 January 2009 - 06:06 AM

Good morning.

Thanks for the continued advice. I wasn't sure which of my computers is the main one, so I followed your instructions on all three just to be on the safe side. Here's a summary of the results followed by the logs pasted from the Dell Desktop PC. I have the logs from the other two systems also. Please let me know if you'd like to see them. Thanks again!

Dell Destkop PC Summary of Results:
MBAM: 1 Rootkit Agent
SAS: 120+ Adware.Tracking Cookies, 3 Rogue.Component/Trace and 1 Rootkit.TDSServ-Trace

Laptop #1 Summary of Results:
MBAM: No threats found
SAS: 150+ Adware.Tracking Cookies, 1 Trace.Known Threat Sources

Laptop #2 Summary of Results:
MBAM: No threats found
SAS: 6 Adware.Tracking Cookies and 7 Rogue.Component/Trace

PASTED LOGS FROM DELL DESKTOP PC:

Malwarebytes' Anti-Malware 1.32
Database version: 1621
Windows 5.1.2600 Service Pack 3

1/5/2009 11:47:06 PM
mbam-log-2009-01-05 (23-47-06).txt

Scan type: Quick Scan
Objects scanned: 90690
Time elapsed: 29 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\850ad61e.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/06/2009 at 03:24 AM

Application Version : 4.24.1004

Core Rules Database Version : 3696
Trace Rules Database Version: 1672

Scan type : Complete Scan
Total Scan Time : 03:20:17

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 5336
Registry threats detected : 3
File items scanned : 86300
File threats detected : 126

Adware.Tracking Cookie
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@adserver.adtechus[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@iacas.adbureau[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@atwola[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@questionmarket[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@adbrite[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@adopt.euroclick[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@eb.adbureau[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@adopt.specificclick[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@specificmedia[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@tripod[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@adrevolver[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@cache.trafficmp[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@liostat.co[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@kontera[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@revsci[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@apmebf[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@interclick[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@ads.healthcare[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@cdn.at.atwola[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@ar.atwola[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@clickpass[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@www.burstnet[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@burstnet[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@clickoverridesystem[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@247realmedia[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@casalemedia[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@doubleclick[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@2o7[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@fastclick[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@advertising[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@at.atwola[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@atdmt[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@ad.yieldmanager[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@content.yieldmanager[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@media.adrevolver[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@sbcounty[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@content.yieldmanager[3].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@zedo[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@ads.pugetsoundsoftware[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@tribalfusion[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@specificclick[2].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@trafficmp[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@realmedia[1].txt
C:\Documents and Settings\Helen Johnson\Cookies\helen_johnson@superstats[2].txt
C:\Documents and Settings\Guest\Cookies\guest@122.2o7[2].txt
C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@4.adbrite[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.euroclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.adbrite[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.ytmnd[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adserver.incgamers[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adserver.mmoguru[2].txt
C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
C:\Documents and Settings\Guest\Cookies\guest@bluestreak[1].txt
C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@cbs.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@cgm.adbureau[2].txt
C:\Documents and Settings\Guest\Cookies\guest@chitika[1].txt
C:\Documents and Settings\Guest\Cookies\guest@compasshealthcare.122.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Guest\Cookies\guest@fastclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@imrworldwide[2].txt
C:\Documents and Settings\Guest\Cookies\guest@insightexpressai[1].txt
C:\Documents and Settings\Guest\Cookies\guest@kontera[2].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[3].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt
C:\Documents and Settings\Guest\Cookies\guest@msnportal.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@overture[2].txt
C:\Documents and Settings\Guest\Cookies\guest@partner2profit[2].txt
C:\Documents and Settings\Guest\Cookies\guest@perf.overture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@pitchforkmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt
C:\Documents and Settings\Guest\Cookies\guest@realmedia[2].txt
C:\Documents and Settings\Guest\Cookies\guest@sixapart.adbureau[1].txt
C:\Documents and Settings\Guest\Cookies\guest@specificclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@statcounter[2].txt
C:\Documents and Settings\Guest\Cookies\guest@tacoda[2].txt
C:\Documents and Settings\Guest\Cookies\guest@trafficregenerator[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.webhostingcounter[1].txt
C:\Documents and Settings\Guest\Cookies\guest@yadro[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine johnson@findarticles[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine johnson@flightstats[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine johnson@insightfirst[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@2o7[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ad.yieldmanager[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adinterax[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adopt.euroclick[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adopt.specificclick[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adrevolver[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ads.pointroll[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@advertising[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@atdmt[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@bluestreak[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@casalemedia[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@charmingshoppes.112.2o7[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@doubleclick[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@e-2dj6wgkyqnajcbo.stats.esomniture[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@insightexpressai[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@media.adrevolver[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@mediaplex[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@msnportal.112.2o7[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@overture[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@partner2profit[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@questionmarket[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@realmedia[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@richmedia.yahoo[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@server.iad.liveperson[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@server.iad.liveperson[3].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@shopping.112.2o7[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@specificclick[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@tacoda[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.googleadservices[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.googleadservices[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.googleadservices[3].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\58130C9F
HKLM\Software\Microsoft\58130C9F#58130c9f
HKLM\Software\Microsoft\58130C9F#Version

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 AM

Posted 06 January 2009 - 10:56 AM

Hi I got some bad news now that we have spotted this TDDS type of infection.
I would ask that you read the advisory in post 14 by quietman7. it addresses your issue with a diiferent rootkit. Tell me how you wish to proceed,thanks.
http://www.bleepingcomputer.com/forums/t/185275/cannot-open-my-drives-due-to-resycledbootcom/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Johkr01

Johkr01
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 06 January 2009 - 09:12 PM

Hello again. I read the other post as you suggested and did a little research. This does sound very serious. I have a few more questions about how to handle this as safely as possible.

1) My most immediate concern is about how far the problem may have spread. I have three computers at home, connected to an Ethernet switch/access point that is plugged into our DSL router. We don't do any online banking on the suspect Dell desktop PC, but we do use the other two laptops for banking. I'm attaching the MBAM and SAS Logs for the other two computers to the bottom of this post. Would you please look at these and advise whether you think these two computers (or my Ethernet switch or DSL router) are compromised? I definitely plan to change all my passwords for online banking and for my router, but I don't want to risk doing it from a computer or network that may already be compromised.

2) I also remembered today that I have Spector Pro software installed on the suspect Dell desktop PC for logging my child's computer activities, internet access etc. The Spector Pro install guide says spyware applications will detect this product as spyware. Another site said products such as Spector Pro are essentially rootkits. Based on this info, do you think I should try either excluding Spector Pro from the SAS scan or uninstalling Spector Pro and rescanning? Maybe my question is irrelevant since previous MBAM scans did not identify any rootkits, but I thought I would ask about it.
Here are the site references I found:
http://www.onlinesafetysite.com/P1/Spector_Install.htm
http://netsecurity.about.com/od/frequently...faq_rootkit.htm

One thing that's kind of encouraging is that I haven't been relisted on the CBL since the night of 1/4/09 when I took your original advice and rescanned all user accounts on all computers.

Please let me know what you recommend.

Thanks again for all your help and advice!

PASTED LOGS FROM TJLAPTOP:

Malwarebytes' Anti-Malware 1.32
Database version: 1621
Windows 5.1.2600 Service Pack 2

1/5/2009 10:40:01 PM
mbam-log-2009-01-05 (22-40-01).txt

Scan type: Quick Scan
Objects scanned: 58697
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/06/2009 at 02:19 AM

Application Version : 4.24.1004

Core Rules Database Version : 3696
Trace Rules Database Version: 1672

Scan type : Complete Scan
Total Scan Time : 03:28:49

Memory items scanned : 164
Memory threats detected : 0
Registry items scanned : 5761
Registry threats detected : 7
File items scanned : 71962
File threats detected : 6

Adware.Tracking Cookie
C:\Documents and Settings\Thomas Johnson\Cookies\thomas_johnson@atdmt[1].txt
C:\Documents and Settings\Thomas Johnson\Cookies\thomas_johnson@stats.paypal[1].txt
C:\Documents and Settings\Thomas Johnson\Cookies\thomas_johnson@paypal.112.2o7[1].txt
C:\Documents and Settings\Thomas Johnson\Cookies\thomas_johnson@pitchforkmedia[1].txt
C:\Documents and Settings\Thomas Johnson\Cookies\thomas_johnson@mint.pitchforkmedia[1].txt
C:\Documents and Settings\Thomas Johnson\Cookies\thomas_johnson@doubleclick[2].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\4C4D7BE9
HKLM\Software\Microsoft\4C4D7BE9#4c4d7be9
HKLM\Software\Microsoft\4C4D7BE9#Version
HKLM\Software\Microsoft\4C4D7BE9#4c4dd669
HKLM\Software\Microsoft\4C4D7BE9#4c4dbf8c
HKU\S-1-5-21-1608024706-1463271555-2507588429-1005\Software\Microsoft\CS41275
HKU\S-1-5-21-1608024706-1463271555-2507588429-1005\Software\Microsoft\FIAS4018

PASTED LOGS FROM KJLAPTOP:

Malwarebytes' Anti-Malware 1.32
Database version: 1621
Windows 5.1.2600 Service Pack 3

1/5/2009 10:56:43 PM
mbam-log-2009-01-05 (22-56-43).txt

Scan type: Quick Scan
Objects scanned: 80732
Time elapsed: 29 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/06/2009 at 01:50 AM

Application Version : 4.24.1004

Core Rules Database Version : 3696
Trace Rules Database Version: 1672

Scan type : Complete Scan
Total Scan Time : 02:36:41

Memory items scanned : 174
Memory threats detected : 0
Registry items scanned : 6615
Registry threats detected : 0
File items scanned : 89186
File threats detected : 160

Adware.Tracking Cookie
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@charityusa.122.2o7[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@tacoda[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adopt.specificclick[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@media.adrevolver[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@tribalfusion[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.googleadservices[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@sciencerevenue[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@burstnet[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@stat.dealtime[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adopt.euroclick[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@dmtracker[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@content.yieldmanager[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@mason.112.2o7[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@sales.liveperson[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adlegend[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ad.yieldmanager[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.burstnet[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@accountonline[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@chitika[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@bizrate[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@casalemedia[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.accountonline[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@tripod[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@at.atwola[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@kontera[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@imrworldwide[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@roiservice[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@perf.overture[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@revsci[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@tracking.foundry42[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@cratebarrel.112.2o7[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@realmedia[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@trvlnet.adbureau[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@webstat[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@tracking.foundry42[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@videoegg.adbureau[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@overture[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@e-2dj6wjkyggajiap.stats.esomniture[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ads.healthcare[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@bs.serving-sys[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@serving-sys[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.findgift[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.googleadservices[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@collective-media[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@media6degrees[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@sales.liveperson[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@www.encyclomedia[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ads.tripod.lycos[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@fastclick[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ads.bridgetrack[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@specificmedia[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@2o7[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@questionmarket[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@apmebf[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@richmedia.yahoo[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@spectrumadvertising[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ads.widgetbucks[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@te.kontera[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@clickbank[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@atwola[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@track.bestbuy[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@encyclomedia[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@statcounter[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@interclick[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@ads.pointroll[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@dealtime[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@trafficmp[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@adrevolver[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@zedo[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@specificclick[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@bluestreak[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@onlynewclicks[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@pc-antispywarescanner[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@tracking.keywordmax[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@edge.ru4[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@insightexpressai[2].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@counter.surfcounters[1].txt
C:\Documents and Settings\Kristine Johnson\Cookies\kristine_johnson@nextstat[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@2o7[2].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@ad.yieldmanager[2].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@adrevolver[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@adserver[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@casalemedia[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@fastclick[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@media-general[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@sec1.liveperson[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@tribalfusion[1].txt
C:\Documents and Settings\Kristine Johnson\Local Settings\Temp\Cookies\kristine johnson@zedo[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@4.adbrite[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@a.websponsors[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ad.admarketplace[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ad.yieldmanager[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@admarketplace[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ads.adbrite[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ads.cc214142[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ads.monster[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ads.pointroll[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ads.realcastmedia[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@adserver.mmoguru[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@advertising[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@anad.tacoda[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@anat.tacoda[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@atdmt[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@banners[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@banner[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@bigbanners[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@bluestreak[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@casalemedia[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@charmingshoppes.112.2o7[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@cnetasiapacific.122.2o7[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@collective-media[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@doubleclick[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wfmiwid5sfp.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wfmyojajeep.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wgkyencpsco.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wglyckdzidp.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wjl4qicjoep.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wjloeicpslq.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wjlycjd5ifp.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wjlyukdzmao.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wjmycgdjchp.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wjmywmdpaap.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@e-2dj6wjnyoidzmgo.stats.esomniture[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ehg-lgusa.hitbox[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ehg-newegg.hitbox[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ehg-nvidia.hitbox[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ehg-tigerdirect.hitbox[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ehg-tigerdirect2.hitbox[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ehg-vmware.hitbox[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@ehg-zoomerang.hitbox[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@fastclick[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@gateway.122.2o7[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@hurricanedigitalmedia[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@insightexpresserdd[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@interclick[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@jefflarson57.freestats[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@media6degrees[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@oddcast[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@perf.overture[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@pitchforkmedia[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@powellsbooks.122.2o7[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@pt.crossmediaservices[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@questionmarket[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@revsci[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@rotator.adjuggler[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@server.iad.liveperson[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@snagajob.122.2o7[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@spamblockerutility[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@stat-counter.fabrica.net[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@tacoda[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@teenwriting.about[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@trafficmp[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@tribalfusion[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@www.discountdance[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@www.findarticles[2].txt
C:\Documents and Settings\Visitor\Cookies\visitor@www.myaccount.cingular[1].txt
C:\Documents and Settings\Visitor\Cookies\visitor@www.pitchforkmedia[1].txt

Trace.Known Threat Sources
C:\Documents and Settings\Kristine Johnson\Local Settings\Temporary Internet Files\Content.IE5\JYETO8E5\window[1].js

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 AM

Posted 07 January 2009 - 06:54 PM

Hello again. Let's run 2 more items and we should know how far this went. This rootkit is not the child protection product. It has the same intention to watch but, this one phones home.

First run the Scanner portion of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Follow with the SDFix tool.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 07 January 2009 - 11:07 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Johkr01

Johkr01
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 07 January 2009 - 10:57 PM

Hi again,

First, I just want to say how grateful I am for your continued help on this issue. I don't know how I would have dealt with this problem without your expert assistance. Thank you!

I ran SmitfraudFix and SDFix on all three computers. Here are the results. Please let me know what you think.

PASTED LOGS FROM DELLPC:

SmitFraudFix v2.388

Scan done at 21:36:57.08, Wed 01/07/2009
Run from C:\Downloaded Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Downloaded Files\SmitfraudFix\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Helen Johnson


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HELENJ~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Helen Johnson\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HELENJ~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="zcxdcg.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

SDFix: Version 1.240
Run by Helen Johnson on Wed 01/07/2009 at 21:55

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSmqlt.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\147764~1 - Deleted
C:\WINDOWS\system32\drivers\TDSSmqlt.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 22:12:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Helen Johnson\\Local Settings\\Temp\\nsv2.tmp\\utorrent.exe"="C:\\Documents and Settings\\Helen Johnson\\Local Settings\\Temp\\nsv2.tmp\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Disabled:CoD2MP_s"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Disabled:CoDMP"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Disabled:Xfire"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 4 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 17 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 20 Mar 2006 4,348 A..H. --- "C:\Documents and Settings\Helen Johnson\My Documents\My Music\License Backup\drmv1key.bak"
Tue 22 Aug 2006 20 A..H. --- "C:\Documents and Settings\Helen Johnson\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 17 Mar 2006 312 A.SH. --- "C:\Documents and Settings\Helen Johnson\My Documents\My Music\License Backup\drmv2key.bak"
Wed 15 Mar 2006 4,348 A..H. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv1key.bak"
Tue 11 Apr 2006 20 A..H. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 7 Dec 2005 312 A.SH. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

PASTED LOGS FROM KJLAPTOP:

SmitFraudFix v2.388

Scan done at 21:35:58.40, Wed 01/07/2009
Run from C:\Downloaded Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft Money 2007\MNYCoreFiles\mnybbsvc.exe
C:\Downloaded Files\SmitfraudFix\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kristine Johnson


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kristine Johnson\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KRISTI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless LAN 2100 3A Mini PCI Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C236CB6E-55E6-475F-8535-FEE836E60FEF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C236CB6E-55E6-475F-8535-FEE836E60FEF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C236CB6E-55E6-475F-8535-FEE836E60FEF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

SDFix: Version 1.240
Run by Kristine Johnson on Wed 01/07/2009 at 21:55

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 22:12:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\SYSTEM32\\ftp.exe"="C:\\WINDOWS\\SYSTEM32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftpgui.exe"="C:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftpgui.exe:*:Enabled:WS_FTP Pro Application"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"="C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe:*:Enabled:Rio Music Manager"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Vongo\\VongoTray.exe"="C:\\Program Files\\Vongo\\VongoTray.exe:*:Enabled:StarzTray"
"C:\\Program Files\\Vongo\\Vongo.exe"="C:\\Program Files\\Vongo\\Vongo.exe:*:Enabled:Vongo"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 15 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 14 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 15 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv1key.bak"
Tue 11 Apr 2006 20 A..H. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 7 Dec 2005 312 A.SH. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv2key.bak"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kristine Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kristine Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kristine Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kristine Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Tue 14 Aug 2007 8 A..H. --- "C:\Documents and Settings\Kristine Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Tue 14 Oct 2008 0 A..H. --- "C:\Documents and Settings\Kristine Johnson\Local Settings\Application Data\SupportSoft\DellSupportCenter\Kristine Johnson\data\BITEB.tmp"
Sun 13 Jan 2008 8 A..H. --- "C:\Documents and Settings\Thomas Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 13 Jan 2008 8 A..H. --- "C:\Documents and Settings\Thomas Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 13 Jan 2008 8 A..H. --- "C:\Documents and Settings\Thomas Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 13 Jan 2008 8 A..H. --- "C:\Documents and Settings\Thomas Johnson\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 28 May 2007 8 A..H. --- "C:\Documents and Settings\Visitor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 28 May 2007 8 A..H. --- "C:\Documents and Settings\Visitor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 28 May 2007 8 A..H. --- "C:\Documents and Settings\Visitor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 28 May 2007 8 A..H. --- "C:\Documents and Settings\Visitor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

PASTED LOGS FROM TJLAPTOP:

SmitFraudFix v2.388

Scan done at 19:46:08.51, Wed 01/07/2009
Run from C:\Documents and Settings\Thomas Johnson\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Steam\steam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Thomas Johnson\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Thomas Johnson


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Thomas Johnson\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\THOMAS~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sxquvh.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.3.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6CC2DB7F-1DB5-41AB-8068-6C780AAC5126}: DhcpNameServer=192.168.3.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6CC2DB7F-1DB5-41AB-8068-6C780AAC5126}: DhcpNameServer=192.168.3.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.3.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.3.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 AM

Posted 07 January 2009 - 11:17 PM

Good evening and you are most welcome. The DellPC is still infected. We will now run the Cleaning portion of SmitfraudFix. I forgot what you said the Router was. We will reset it soon. You may as well run this across the board.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Edited by boopme, 07 January 2009 - 11:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Johkr01

Johkr01
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 08 January 2009 - 12:40 AM

Hi,

Thanks for the quick reply. I ran Smitfraudfix Clean function on the DellPC in Safe Mode. I didn't receive any prompt to replace wininet.dll. One interesting thing that happened while the Smitfraudfix Clean function was running is that I got the prompt that Windows is searching for files to clean up on the C: drive (as if that drive was almost full even though I have over 100GB free space) I just canceled out of the clean up prompt - hope that isn't indicative of a problem. Anyway the log from Smitfraudfix Clean on the Dell PC is pasted below along with the SD Fix log from TJLaptop which I forgot to post earlier.

My main concern is to make sure that any infection is limited to the DellPC and that KJLaptop and TJLaptop are clean and safe to continue to use for online banking (with changed pswds of course). My router is an Embarq DSL 660 series. I also have a Belkin model F5D7230-4 wireless router. It would be great if we can clean DellPC, but I'm not opposed to completely rebuilding that machine from scratch if that's what is needed. The integrity of the other two laptops and my home network are really my prime concern.

Thanks again!

PASTED LOG FROM SDFIX ON TJLAPTOP:

SDFix: Version 1.240
Run by Thomas Johnson on Wed 01/07/2009 at 22:45

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan

2009-01-07 22:53:39 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\au

thorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common

Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common

Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online

9.0\\waol.exe:*:Enabled:AOL"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty

2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\freepoundcake\\half-life 2 deathmatch\\hl2.exe"="C:\\Program

Files\\Valve\\Steam\\SteamApps\\freepoundcake\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\freepoundcake\\counter-strike source\\hl2.exe"="C:\\Program

Files\\Valve\\Steam\\SteamApps\\freepoundcake\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet

Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common

Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1147379364\\ee\\aolsoftware.exe"="C:\\Program Files\\Common

Files\\AOL\\1147379364\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1147379364\\ee\\aim6.exe"="C:\\Program Files\\Common

Files\\AOL\\1147379364\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows

Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN

Messenger 7.5"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy

Arcade"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program

Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"="C:\\Program Files\\Lionhead Studios

Ltd\\Black & White\\runblack.exe:*:Enabled:lh"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of

Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program

Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\Thomas Johnson\\Local Settings\\Temporary Internet

Files\\Content.IE5\\81TVODJZ\\wowclient-downloader[1].exe"="C:\\Documents and Settings\\Thomas Johnson\\Local

Settings\\Temporary Internet Files\\Content.IE5\\81TVODJZ\\wowclient-downloader[1].exe:*:Enabled:Blizzard

Downloader"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="C:\\Program

Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of

Chernobyl (CLI)"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="C:\\Program

Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow

of Chernobyl (SRV)"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\steamapps\\freepoundcake\\team fortress 2\\hl2.exe"="C:\\Program

Files\\Steam\\steamapps\\freepoundcake\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\freepoundcake\\garrysmod\\hl2.exe"="C:\\Program

Files\\Steam\\steamapps\\freepoundcake\\garrysmod\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program

Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop

Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program

Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program

Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Documents and Settings\\Thomas Johnson\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Thomas

Johnson\\Desktop\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"="C:\\Program

Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe:*:Enabled:TmForever"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\auth

orizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common

Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common

Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online

9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN

Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program

Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop

Messenger"

Remaining Files :



Files with Hidden Attributes :

Tue 22 Apr 2008 56 ..SHR --- "C:\WINDOWS\system32\BBF75FEE75.sys"
Tue 22 Apr 2008 3,558 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 5 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 1 Jul 2006 2,551 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Fri 5 Sep 2008 0 A..H. ---

"C:\WINDOWS\SoftwareDistribution\Download\0f6f1f36b2df4a889eaaa83ca3c984a4\BIT13.tmp"
Thu 11 Sep 2008 3,954 ...HR --- "C:\Documents and Settings\Thomas Johnson\Application

Data\SecuROM\UserData\securom_v7_01.bak"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Thomas Johnson\Application

Data\U3\temp\Launchpad Removal.exe"

Finished!



PASTED LOG FROM SMITFRAUDFIX CLEAN ON DELL PC:

SmitFraudFix v2.388

Scan done at 0:19:57.43, Thu 01/08/2009
Run from C:\Downloaded Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 AM

Posted 08 January 2009 - 07:16 PM

OK the others look fine. let's verify the state of DELLPC..

Open MBAM in Normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into Normal mode.

Now once more run SDFix and post that log..thank you. Your doing great!!

Edited by boopme, 09 January 2009 - 01:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Johkr01

Johkr01
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 09 January 2009 - 06:35 AM

Good morning boopme. Got your message but I haven't had time to try it yet - will do this evening when I get home from work. In the meantime, I just noticed that n post #10 you had recommended running the cleaning portion of SmitfraudFix "across the board." I hadn't noticed this at first, so I didn't run it on either of the two laptops. Should I go ahead and do that tonight also, or are you now satisfied that the only thing we need to concentrate on now is the Dell PC. Sorry to have to ask you to repeat yourself. Thanks again for the help and have a good day!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 AM

Posted 09 January 2009 - 01:44 PM

I am confident that we just have the dell to clean.. So whenever you can do SF 2.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Johkr01

Johkr01
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 09 January 2009 - 10:05 PM

Hi boopme, hope you had a good day. Here are the results from the updated MBAM and SDFIx scans on DellPC. I'm cautiously optimistic.... Please let me know what you think. Thanks!

RESULTS OF DELLPC MBAM AND SDFIX:

Malwarebytes' Anti-Malware 1.32
Database version: 1636
Windows 5.1.2600 Service Pack 3

1/9/2009 9:30:40 PM
mbam-log-2009-01-09 (21-30-40).txt

Scan type: Quick Scan
Objects scanned: 88986
Time elapsed: 21 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SDFix: Version 1.240
Run by Helen Johnson on Fri 01/09/2009 at 21:44

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 21:55:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\Helen Johnson\\Local Settings\\Temp\\nsv2.tmp\\utorrent.exe"="C:\\Documents and Settings\\Helen Johnson\\Local Settings\\Temp\\nsv2.tmp\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Disabled:CoD2MP_s"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Disabled:CoDMP"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Disabled:Xfire"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Tue 4 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 17 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 20 Mar 2006 4,348 A..H. --- "C:\Documents and Settings\Helen Johnson\My Documents\My Music\License Backup\drmv1key.bak"
Tue 22 Aug 2006 20 A..H. --- "C:\Documents and Settings\Helen Johnson\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 17 Mar 2006 312 A.SH. --- "C:\Documents and Settings\Helen Johnson\My Documents\My Music\License Backup\drmv2key.bak"
Wed 15 Mar 2006 4,348 A..H. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv1key.bak"
Tue 11 Apr 2006 20 A..H. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 7 Dec 2005 312 A.SH. --- "C:\Documents and Settings\Kristine Johnson\My Documents\My Music\License Backup\drmv2key.bak"

Finished!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users