Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 360/Virtumundo Infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 AuctionHugh

AuctionHugh

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:11:16 PM

Posted 20 February 2009 - 03:25 PM

My wife was the victim of a drive by download at an (obviously) infected geocities website.

She began getting Antivirus 360 popups.

I ran a full Trend Micro (paid version) scan, and it found nothing.

I tried running housecall.antivirus.com and the program would not load with a "no java" error, and I knew she was in trouble.

I found this thread: http://www.bleepingcomputer.com/forums/ind...p;#entry1144894 and followed the steps.

Malwarebytes found some stuff including virtumundo and cleaned it all up. I ran it again and it found nothing. Original log below.

In safe mode I ran ATFCleaner on both regular and firefox modes.

I then ran SuperAntiSpyware in safe mode as instructed. All it found was some cookies, log posted.

The weird thing is, I still can't run the cleaner at housecall.antivirus.com and this makes me think I am still infected.

Also her laptop fan is running all the time and process explorer shows WMIprvSE.exe sucking down CPU, which is not running on my identical laptop/setup. Process Explorer cannot end this task.

What would I do to find out if I AM infected still and how might I deal with it?

Thank you!


____________________________________________________
Malwarebytes' Anti-Malware 1.34
Database version: 1780
Windows 6.0.6001 Service Pack 1

2/20/2009 12:19:45 PM
mbam-log-2009-02-20 (12-19-45).txt

Scan type: Quick Scan
Objects scanned: 63275
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_________________________________________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/20/2009 at 02:20 PM

Application Version : 4.25.1012

Core Rules Database Version : 3768
Trace Rules Database Version: 1728

Scan type : Complete Scan
Total Scan Time : 00:29:02

Memory items scanned : 276
Memory threats detected : 0
Registry items scanned : 6984
Registry threats detected : 0
File items scanned : 29690
File threats detected : 280

Adware.Tracking Cookie
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\kathleen@ad.doubleclick[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@bostoncommonpress.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@homeaway.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adserver2.christianitytoday[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-techtarget.hitbox[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@at.atwola[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads2.slickdeals[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@sussexandreilly[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.cnn[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.adultswim[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@kango.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ecnext.advertserve[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@rotator.dex.adjuggler[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ad.flux[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@homestore.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@superpages.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@livedealcom.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@indextools[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@a1.interclick[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@businessfinder.mlive[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@nextag[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.sun[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@cgm.adbureau[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.cluster01.oasis.zmh.zope[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@server.iad.liveperson[3].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@server.iad.liveperson[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads4.slickdeals[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@kaboose.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-homesandland.hitbox[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@anad.tacoda[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.thebanner[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@fluencymedia[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@statse.webtrendslive[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@banners4churches[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@hotlog[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ad101com.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.associatedcontent[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@z.blogads[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.etracker[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@statse.webtrendslive[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@tracking.foundry42[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@sdc.pointclickhome[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@tracking.foundry42[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@protectedliveclicks[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-nazarenepublishinghouse.hitbox[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@discountchristianstore[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@propertiesofdoorcounty.com.bvrd[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.mediamayhemcorp[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@paypal.thefind[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.bridgetrack[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@counter.surfcounters[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@bizrate[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@harborcountry[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.puppyfind[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@hearstugo.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@vidego.multicastmedia[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@e-2dj6wcloeoazogo.stats.esomniture[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@visitharborcountry[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.vertadnet[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@trvlnet.adbureau[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@qnsr[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.contactmusic[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stats.paypal[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@tremor.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@couponchief.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@msnbc.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@costargroup.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.widgetbucks[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ie-stat.bmmetrix[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@meijer.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.addesktop[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@bonniercorp.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@e-2dj6wcl4wgdpwdo.stats.esomniture[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@classifiedventures1.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@e-2dj6wflygjdzclp.stats.esomniture[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.radioharborcountry[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.heartlight[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@snapfish.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@saxosouthbend.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@viacomedycentralrl.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adecn[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@silo.thefind[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@atdmt[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@clickbooth[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@rainbowmedia.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adserver.mapmyfitness[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@newmediacampaigns[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adinterax[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@web4.realtracker[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@traffic.jostens[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.artifice[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@travidia.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@test.coremetrics[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@thebanner[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@snap9.advertserve[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stat.onestat[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@server2.bkvtrack[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@eartmedia[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@lyndacom.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.rubloffharborcounty[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-oreilly.hitbox[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads1.ag[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@pt.crossmediaservices[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@highbeam.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@e-2dj6wcmiujdjkkp.stats.esomniture[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-talbots.hitbox[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.newmediacampaigns[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@iacas.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@w00tpublishers.wootmedia[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@findmysoft[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@findarticles[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-accuweather.hitbox[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads2.ljworld[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@dmtracker[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.3dstats[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@hulu.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@lulu.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@zillow.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-zvents.hitbox[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@churchmedia[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@hospitalityebusiness.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@cms.trafficmp[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www4.addfreestats[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www3.addfreestats[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www1.addfreestats[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ordie.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@interclick[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@cvhs.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adserver1.christianitytoday[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@viacom.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@pluckit.demandmedia[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.lucidmedia[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@marketlive.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ad.associatedcontent[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@webstats.pilkington[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-adamson.hitbox[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.fatvine[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@dynamic.media.adrevolver[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@blockbuster.112.2o7[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@trackalyzer[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@kaspersky.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stats.townnews[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@jvmediadesign[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@mturk.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stats.adbrite[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stat.dealtime[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.monster[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.mlsfinder[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.mlsfinder[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stpetersburgtimes.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@indexstats[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@specificmedia[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@collective-media[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.thesmokinggun[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@cartoonnetwork.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@sitestat.mayoclinic[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@roiservice[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@videoegg.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adopt.euroclick[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.forum-email[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.visitor-track[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.nexstardigital[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@pictage.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@a.findarticles[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@imrworldwide[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.realtechnetwork[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.us.e-planning[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@reunion.adbureau[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@richmedia.yahoo[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@pointclickhome[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@kontera[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@yieldmanager[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@b5media[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.blogtalkradio[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@mycatwalk.doptracker[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@mywebsearch[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@samsclub.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@media6degrees[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adlegend[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@medialawn[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@mediabistro[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.shutterfly[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@amazonmerchants.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@dominionenterprises.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-shoes.hitbox[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@doubleclick[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@traffic.prod.cobaltgroup[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ad8.bannerbank[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.heliumreport[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@webdesignfinders[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ar.atwola[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adserver.adtechus[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@bluestreak[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@propertiesofdoorcounty[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.elitescreens[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@laportecounty[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stampscom.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@track.bestbuy[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adserve.clean-solutions[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@content.yieldmanager[3].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@microsoftoffice.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@charmingshoppes.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@stats.manticoretechnology[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@mediaplex[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@socialmedia[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@mdnh.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@harborcountry.rubloff[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@rubloffharborcounty[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@paypal.112.2o7[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@media.zoominfo[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[7].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[3].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ladieswholaunch.advertserve[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@countercentral[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.bleepingcomputer[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.funadvice[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@track.cbs[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ad.statcounter[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[8].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.churchmedia[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.churchmedia[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@tracking.realtor[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[4].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@thinkdoorcounty[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.mainstreetmg[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@harpo.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@counter2.hitslink[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@horseclicks[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adserver1.mokono[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-traderpublishing.hitbox[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@timeinc.122.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[5].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-jigsaw.hitbox[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@media.legacy[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-paperdirect.hitbox[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.internettrafficstats[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.googleadservices[6].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.findgift[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@hearstmagazines.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@statcounter[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@valueclick[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@affiliate.wordtracker[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@buzznet.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@bs.serving-sys[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-legacy.hitbox[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@amazonservices.122.2o7[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adtracker.americantowns[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ehg-zoom.hitbox[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@yadro[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.collegeconfidential[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@microsoftwindows.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@whitehorse.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@brownshoe.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.seemy-network[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adultswim[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@thefind[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@e-2dj6wjlogoajwko.stats.esomniture[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@securedclickuse[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@sales.liveperson[3].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.pstats[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@petfinder[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@usatoday1.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@www.clickmanage[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@chitika[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@thunderbolt.adjuggler[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ads.escalatemedia[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@sales.liveperson[4].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@servedby.onlinemediadiva[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@truedoorcounty[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@cracked[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@thelowcountrystar[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@doorcounty[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@sales.liveperson[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@sales.liveperson[5].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@ad.turn[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@cbs.112.2o7[1].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@adbrite[2].txt
C:\Users\Kathleen\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathleen@partner2profit[1].txt

__________________________

DDS (Ver_09-02-01.01) - NTFSx86
Run by Kathleen at 18:27:48.67 on Fri 02/20/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1832 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\dllhost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Users\Kathleen\Desktop\Stuff for H\procexp.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\notepad.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Kathleen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JHY37319\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080811
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: []
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\kathleen\appdata\roaming\micros~1\windows\startm~1\programs\startup\karen'~1.lnk - c:\program files\karen's power tools\replicator\PTReplicator.exe
StartupFolder: c:\users\kathleen\appdata\roaming\micros~1\windows\startm~1\programs\startup\kallen~1\target.lnk - k:\
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
Trusted Zone: youtube.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\kathleen\appdata\roaming\mozilla\firefox\profiles\c47wjabq.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\kathleen\appdata\roaming\mozilla\firefox\profiles\c47wjabq.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-3-25 142352]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_238116a1\AEstSrv.exe [2008-8-11 73728]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 FlipShare Service;FlipShare Service;c:\program files\pure digital technologies\flipshare\FlipShareService.exe [2008-11-13 439616]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2008-8-23 5120]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-11-2 7168]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-3-25 52240]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-3-25 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-3-25 234512]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-21 24652]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-8-10 29736]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-8-11 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-8-11 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-11-26 133472]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-12-26 279488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1558000]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-8-16 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-8-16 648456]
S3 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys [2008-12-11 16256]

=============== Created Last 30 ================

2009-02-20 13:39 --d----- c:\programdata\SUPERAntiSpyware.com
2009-02-20 13:39 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-02-20 13:38 --d----- c:\users\kathleen\appdata\roaming\SUPERAntiSpyware.com
2009-02-20 13:38 --d----- c:\program files\SUPERAntiSpyware
2009-02-20 13:37 --d----- c:\program files\common files\Wise Installation Wizard
2009-02-20 12:05 --d----- c:\users\kathleen\appdata\roaming\Malwarebytes
2009-02-20 12:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 12:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 12:05 --d----- c:\programdata\Malwarebytes
2009-02-20 12:05 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 12:05 --d----- c:\progra~2\Malwarebytes
2009-02-20 09:36 --d----- c:\users\kathleen\.housecall6.6
2009-02-16 09:56 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-16 09:56 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-16 09:56 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-16 09:56 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-16 09:56 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-11 09:52 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 09:52 1,383,424 a------- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-01-22 09:34 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-22 09:34 51,200 a------- c:\windows\inf\infpub.dat
2009-01-14 09:55 86,016 a------- c:\windows\inf\infstor.dat
2008-12-29 11:02 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-26 17:05 279,488 a------- c:\windows\system32\drivers\OA001Vid.sys
2008-12-25 21:05 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-08-20 12:03 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-08-10 23:23 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 18:28:29.59 ===============

Edited by AuctionHugh, 20 February 2009 - 06:32 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:16 PM

Posted 21 February 2009 - 10:02 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 AuctionHugh

AuctionHugh
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:11:16 PM

Posted 24 February 2009 - 09:17 AM

Combofix log below. Printscreen of process explorer showing two instances of WmiPrvSE.exe running too - which is not running on my identical computer. May be nothing but I am suspicious and can't end the process (access denied).
________________________________________________________________________________________
ComboFix 09-02-21.01 - Kathleen 2009-02-24 8:48:41.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1920 [GMT -5:00]
Running from: c:\users\Kathleen\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-20 13:39 . 2009-02-20 13:39 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-02-20 13:39 . 2009-02-20 13:39 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-20 13:38 . 2009-02-20 13:38 <DIR> d-------- c:\users\Kathleen\AppData\Roaming\SUPERAntiSpyware.com
2009-02-20 13:38 . 2009-02-20 13:38 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-20 13:37 . 2009-02-20 13:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-20 12:05 . 2009-02-20 12:05 <DIR> d-------- c:\users\Kathleen\AppData\Roaming\Malwarebytes
2009-02-20 12:05 . 2009-02-20 12:05 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-20 12:05 . 2009-02-20 12:05 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-20 12:05 . 2009-02-20 12:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 12:05 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-20 12:05 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-20 10:48 . 2009-02-20 10:48 <DIR> d-------- c:\windows\Sun
2009-02-20 09:36 . 2009-02-20 10:11 <DIR> d-------- c:\users\Kathleen\.housecall6.6
2009-02-16 09:56 . 2008-12-04 23:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-16 09:56 . 2008-12-04 23:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-16 09:56 . 2008-12-04 23:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-16 09:56 . 2008-12-04 23:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-16 09:56 . 2008-12-04 23:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-11 09:52 . 2009-01-14 22:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 09:52 . 2009-01-15 01:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-04 11:36 . 2009-02-04 11:36 <DIR> d-------- c:\users\Kathleen\AppData\Roaming\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 15:09 --------- d-----w c:\programdata\Microsoft Help
2009-02-12 15:09 --------- d-----w c:\program files\Windows Mail
2009-02-04 17:44 --------- d-----w c:\program files\QuickTime
2009-02-04 17:43 --------- d-----w c:\program files\Common Files\Apple
2009-01-14 15:26 --------- d-----w c:\programdata\AppData
2009-01-08 16:35 --------- d-----w c:\programdata\Pure Digital Technologies
2009-01-08 16:35 --------- d-----w c:\program files\Pure Digital Technologies
2009-01-06 18:21 --------- d-----w c:\program files\Google
2008-12-31 03:08 --------- d-----w c:\programdata\Office Genuine Advantage
2008-12-29 16:02 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-12-29 16:02 --------- d-----w c:\program files\Java
2008-12-26 22:05 279,488 ----a-w c:\windows\system32\drivers\OA001Vid.sys
2008-12-26 02:05 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-12-26 02:03 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-08-11 04:23 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-10 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-03-13 163840]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-11 3563520]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-10 29744]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-22 1398024]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-05-07 2245984]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

c:\users\Kathleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Karen's Replicator.lnk - c:\program files\Karen's Power Tools\Replicator\PTReplicator.exe [2008-04-14 1017328]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-02-08 752168]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-05-02 1211472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-10 23:27 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SmartCapture.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SmartCapture.lnk
backup=c:\windows\pss\SmartCapture.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Kathleen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Kathleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
--------- 2008-02-19 10:43 438403 c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-03-11 12:44 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9860CBA0-9179-4C3A-9400-9AE200F94E38}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{A04FC2CD-A239-4F35-B771-3977DD5B0322}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{E9A3970D-7CB9-4758-8B6C-F7EB4F7A9001}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{DAC0AB7C-ADF4-456F-81AB-E1B2F9B4C2DF}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{AB2AE455-E38F-4F82-84B7-FB19562FE2CB}"= UDP:c:\program files\Dell Video Chat\DellVideoChat.exe:SightSpeed
"{1D07DE97-F081-4133-BEFE-B4115C510993}"= TCP:c:\program files\Dell Video Chat\DellVideoChat.exe:SightSpeed
"{C41AC1E2-7D3D-4D66-A2D7-9AAB17673904}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A179C938-2535-4EAC-9320-5C8AC43DFFE4}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6F9165C5-4C60-4723-B579-FFCCC060E0A8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{C8D14F5A-B684-4670-A6AE-B6FCDB071E4F}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{973789D8-E58E-417E-B6D3-DB18FC7E4C6D}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{AC273AE5-A8A9-493A-8699-393A20409DDC}"= UDP:3703:Adobe Version Cue CS3 Server
"{537CF207-1940-49C6-AD7C-0E599346E8D9}"= UDP:3704:Adobe Version Cue CS3 Server
"{F4696801-19DF-422E-B9DD-C339DF24C4B5}"= UDP:50900:Adobe Version Cue CS3 Server
"{A68FA3BF-0EE5-42AB-A7AE-E9E4C82FC7AE}"= UDP:50901:Adobe Version Cue CS3 Server
"{AF0AD822-54BB-4093-AD45-0D53DF221F5E}"= UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{B167072E-7E61-426E-A305-5D88ECB4BBD3}"= TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{8B2D8385-CE26-436A-891C-6BAB3BD6A1B6}c:\\program files\\dell video chat\\dellvideochat.exe"= UDP:c:\program files\dell video chat\dellvideochat.exe:Dell Video Chat by SightSpeed
"UDP Query User{27D09491-1A21-429B-B4C6-C80E84C00F36}c:\\program files\\dell video chat\\dellvideochat.exe"= TCP:c:\program files\dell video chat\dellvideochat.exe:Dell Video Chat by SightSpeed
"TCP Query User{221D5A84-1D24-48BF-B22F-64FCEC3A8479}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{114A4E41-4C54-42AC-9BAF-285F1BEE24F0}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{B0C7B589-5BC5-41C5-8690-26FCD251B19D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9BC64E71-AD6C-460E-8D45-0EB779222D44}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{19FBEA6F-6943-41DA-AFD3-0D3F5EF5A0D3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{19CA8886-3406-4BDE-A359-C88D9ABD286B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{9B95BF17-56C7-4E88-808A-2747B4CFF2D5}c:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= UDP:c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"UDP Query User{CFEE384D-E9D3-41A1-B083-333BC73BC509}c:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= TCP:c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"TCP Query User{EE918651-A45E-434A-89EF-F3AB922C5539}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{54FF6905-1A9C-4C6C-AD02-B734D6682C89}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2008-03-25 142352]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\AEstSrv.exe [2008-08-11 73728]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [2008-08-23 5120]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\System32\dllhost.exe [2006-11-02 7168]
R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2008-03-25 52240]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2008-03-25 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2008-03-25 234512]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-21 24652]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-08-10 29736]
R3 itecir;ITECIR Infrared Receiver;c:\windows\System32\drivers\itecir.sys [2008-08-11 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [2008-08-11 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\System32\drivers\OA001Ufd.sys [2008-11-26 133472]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\System32\drivers\OA001Vid.sys [2008-12-26 279488]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1558000]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-08-16 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-16 648456]
S3 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\System32\drivers\idcphid.sys [2008-12-11 16256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04d1834a-c204-11dd-88d0-001644fdcf47}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be958a82-7522-11dd-9758-0021707a8e9f}]
\shell\AutoRun\command - F:\Setup_FlipShare.exe
\shell\Setup FlipShare\command - F:\Setup_FlipShare.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\User_Feed_Synchronization-{0C95D84B-3488-4DF2-970A-3A00D90BA793}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 21:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: youtube.com\www
FF - ProfilePath - c:\users\Kathleen\AppData\Roaming\Mozilla\Firefox\Profiles\c47wjabq.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Kathleen\AppData\Roaming\Mozilla\Firefox\Profiles\c47wjabq.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 08:52:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3452)
c:\windows\system32\btmmhook.dll
.
Completion time: 2009-02-24 8:54:26
ComboFix-quarantined-files.txt 2009-02-24 13:54:20

Pre-Run: 222,526,287,872 bytes free
Post-Run: 222,670,938,112 bytes free

218 --- E O F --- 2009-02-17 12:38:42

===================

Attached Files



#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:16 PM

Posted 24 February 2009 - 10:19 AM

Not seeing anything here.

Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky report together with a fresh HijackThis log for review.

#5 AuctionHugh

AuctionHugh
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:11:16 PM

Posted 02 March 2009 - 11:11 AM

I did these scans and everything came up clean. The computer is running fine so I consider the issue closed for now. Thank you again for your excellent assistance!

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:16 PM

Posted 02 March 2009 - 11:12 AM

Your welcome. I am closing this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users