Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJ_FAKEAV.BAN


  • This topic is locked This topic is locked
3 replies to this topic

#1 dawn48137

dawn48137

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 28 April 2009 - 02:20 PM

There was a microsoft windows warning that popped up on my desktop taskbar that said I need upgrading. Sorry, I forgot exactly word for word, but I downloaded this file and it ended up being a false advertisement for this "Personal Antivirus". It added a yellow shield icon to my desktop taskbar that has a message constantly popping up which reads;
"Critical System Warning!
Your system is infected with version Trojan.Win32.Agent.azsy. This malicious program is a trojan. It is a Windows PE EXE. Once launched, the trojan copies its body to the current user's Windows startup directory and attempts to steal passwords from Int"

There is also another small warning, then a bigger one that pops up giving me options to scan , etc. Also, when I log onto the internet this advertising page in red tries to pop up over everything. Also, when I click on start, then control panel, my desktop icons disapear along with my taskbar and the only thing I can do is to actually unplug my computer, and restart.

I got this after having the virus TROJ_VUNDO.ANL, so I don't know if maybe that's why there was that microsoft warning in which I was fooled by. My microtrend internet security could not quarantine/clean this past Trojan, and I was unable to manually delete it (This already existing virus, TROJ_VUNDO.ANL that is). So my securtiy reffered me to this site. I have no idea what file this virus-TROJ_FAKEAV.BAN- is located. Any help would be so much appreciated!! Thanks a bunch!! Included are my dds.text log, the highjackthis log, and attached is the attach.txt log. Thank you for your time and efforts!!


DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Dawn and Mike at 15:05:49.45 on Tue 04/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.653 [GMT -4:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Dawn and Mike\Local Settings\Temporary Internet Files\Content.IE5\HL7VP9W4\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc558.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=632552348&da=0
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by MySpace
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.myspace.com/
mStart Page = hxxp://www.myspace.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {003edc54-4093-4fec-8653-b12c51713c6a} - c:\windows\system32\qieqwven.dll
BHO: {0075027a-ec38-4a36-b794-d04f499718d5} - c:\windows\system32\qieqwven.dll
BHO: {007db8a9-4093-4fec-8653-b12c51713c6a} - c:\windows\system32\qieqwven.dll
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
BHO: &Helper: {2e59498d-7e44-4452-9044-0973b080b9e8} - c:\windows\system32\wincontrol.dll
BHO: Surf Canyon Search Engine Assistant: {5ab7104a-b71f-49ad-9154-f7f8806ae848} - c:\program files\surf canyon\surfcanyon.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: : {f2e8e020-f91e-4a63-a75c-db28df616730} - c:\windows\system32\goqythk.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client for internet explorer\YontooIEClient.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
uRun: [AdwareAlert] c:\program files\adwarealert\AdwareAlert.exe -boot
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [DLCICATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCItime.dll,_RunDLLEntry@16
mRun: [dlcimon.exe] "c:\program files\dell aio printer 946\dlcimon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\1.bin\M3PLUGIN.DLL,UPF
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [PAV] c:\program files\pav\pav.exe
StartupFolder: c:\documents and settings\dawn and mike\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\dawnan~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm011RUUS
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226724229703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: text/html - {6345143a-d42e-47bf-ab2b-33fddad0e8cf} - c:\windows\system32\dsound3dd.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: yersrwuh - goqythk.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 snrconfn;snrconfn;c:\windows\system32\drivers\snrconfn.sys [2005-8-16 23424]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2009-3-21 28762]
S2 styikbjg;Software Bus Support;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]
S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]

=============== Created Last 30 ================

2009-04-27 21:09 <DIR> --d----- c:\docume~1\dawnan~1\applic~1\zjxenwne
2009-04-27 00:33 373,760 a------- c:\windows\system32\wincontrol.dll
2009-04-27 00:32 <DIR> --d----- c:\program files\common files\Uninstall
2009-04-27 00:32 <DIR> --d----- c:\program files\PAV
2009-04-25 19:28 <DIR> --d----- c:\docume~1\dawnan~1\applic~1\AdwareAlert
2009-04-25 19:28 <DIR> --d----- c:\program files\AdwareAlert
2009-04-23 23:27 <DIR> --d----- c:\docume~1\dawnan~1\applic~1\Desktopicon
2009-04-23 23:27 <DIR> --d----- c:\program files\Unlocker
2009-04-23 01:35 24,064 a--sh--- c:\documents and settings\dawn and mike\protect.dll
2009-04-23 01:35 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-23 01:35 <DIR> --dsh--- c:\windows\system32\lowsec
2009-04-22 15:31 314,880 a--sh--- C:\ehthumbs.db
2009-04-17 19:08 <DIR> --d----- c:\docume~1\dawnan~1\applic~1\Windows Search
2009-04-16 22:53 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 22:53 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 22:53 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 22:53 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 22:53 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 22:53 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 22:53 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 22:53 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 22:53 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 22:53 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 22:52 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 22:52 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 22:52 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-04 00:48 <DIR> --d----- c:\docume~1\dawnan~1\applic~1\WildTangent
2009-04-04 00:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WildTangent

==================== Find3M ====================

2009-04-19 19:30 1,138 a------- c:\docume~1\dawnan~1\applic~1\wklnhst.dat
2009-03-21 23:59 28,672 a------- c:\windows\system32\f3PSSavr.scr
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-12 17:56 14,336 a------- c:\windows\system32\svchost.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 403,968 a----r-- c:\windows\system32\sdra64.exe
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-10-02 13:06 61,224 a------- c:\documents and settings\dawn and mike\GoToAssistDownloadHelper.exe
2008-11-20 01:15 88 ---shr-- c:\windows\system32\D92C754414.sys
2008-11-20 01:15 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-14 23:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920081006\index.dat
2008-10-14 23:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101420081015\index.dat

============= FINISH: 15:06:16.07 ===============

HERE IS THE HIGHJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:19 AM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\DAWNAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\EEDPOPLR\HiJackThis[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc558.mail.yahoo.com/mc/showFold...552348&da=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: (no name) - {007DB8A9-4093-4FEC-8653-B12C51713C6a} - C:\WINDOWS\system32\qieqwven.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: &Helper - {2E59498D-7E44-4452-9044-0973B080B9E8} - C:\WINDOWS\system32\wincontrol.dll
O2 - BHO: IE BHO Utility - {5AB7104A-B71F-49AD-9154-F7F8806AE848} - C:\Program Files\Surf Canyon\surfcanyon.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {F2E8E020-F91E-4A63-A75C-DB28DF616730} - c:\windows\system32\goqythk.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [PAV] C:\Program Files\PAV\pav.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm011RUUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {E1CC21B1-A5FB-466e-A82D-86701EA75256} - C:\Program Files\Surf Canyon\surfcanyon.dll (HKCU)
O9 - Extra 'Tools' menuitem: Surf Canyon Options - {E1CC21B1-A5FB-466e-A82D-86701EA75256} - C:\Program Files\Surf Canyon\surfcanyon.dll (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1226724229703
O18 - Filter hijack: text/html - {6345143a-d42e-47bf-ab2b-33fddad0e8cf} - C:\WINDOWS\system32\dsound3dd.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: yersrwuh - C:\WINDOWS\SYSTEM32\goqythk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ System Application (COMSysApp) - CMD Technology, Inc. - (no file)
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 11684 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 29 April 2009 - 03:30 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 dawn48137

dawn48137
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 29 April 2009 - 03:21 PM

Okay, sorry about sending you this in a personal message, here it is on the forum. Since I am new to this, I just wanted to make sure I was doing this right. I have another virus which I posted in a forum and someone is helping me with that one. I thought it said to post every issue seperate, no combo topics, but maybe I am wrong. All those scans made me think that I may have only needed one forum for both viruses?? Sorry if I did this wrong and thanks you for your help!!

ComboFix 09-04-29.01 - Dawn and Mike 04/29/2009 15:28.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.767 [GMT -4:00]
Running from: c:\documents and settings\Dawn and Mike\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dawn and Mike\Application Data\FunWebProducts
c:\documents and settings\Dawn and Mike\Application Data\GetModule
c:\documents and settings\Dawn and Mike\Application Data\GetModule\dicik.gz
c:\documents and settings\Dawn and Mike\Application Data\GetModule\kwdik.gz
c:\documents and settings\Dawn and Mike\Application Data\GetModule\ofadik.gz
c:\documents and settings\Dawn and Mike\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Dawn and Mike\protect.dll
c:\documents and settings\Dawn and Mike\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Dawn and Mike\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Joey and Evan.WUBZY\protect.dll
c:\documents and settings\Joey and Evan.WUBZY\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Joey and Evan.WUBZY\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\NetworkService\protect.dll
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\trgtame.gz
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\035826ED.bin
c:\program files\MyWebSearch\bar\Cache\03A13810
c:\program files\MyWebSearch\bar\Cache\03A13D12.bin
c:\program files\MyWebSearch\bar\Cache\03A13E2B.bin
c:\program files\MyWebSearch\bar\Cache\03A140AC.bin
c:\program files\MyWebSearch\bar\Cache\03A14167.bin
c:\program files\MyWebSearch\bar\Cache\03A14242.bin
c:\program files\MyWebSearch\bar\Cache\03AD564C
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\outerinfo
c:\program files\outerinfo\FF\components\OuterinfoAds.xpt
c:\program files\outerinfo\FF\install.rdf
c:\program files\outerinfo\Terms.rtf
C:\test.txt
c:\windows\jestertb.dll
c:\windows\system32\autochk.dll
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\wincontrol.dll
c:\windows\system32\wpv707.cpx
c:\windows\system32\wpv717.cpx
c:\windows\Temp\2.exe
c:\windows\wiaservv.log
c:\windows\system32\goqythk.dll . . . . failed to delete
c:\windows\system32\qieqwven.dll . . . . failed to delete

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_SFC
-------\Legacy_STYIKBJG
-------\Service_MyWebSearchService
-------\Service_sfc
-------\Service_styikbjg


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 19:27 . 2009-04-29 19:27 -------- d-----w c:\documents and settings\Dawn and Mike\Application Data\zjxenwne
2009-04-29 19:27 . 2009-04-29 19:27 -------- d-----w c:\documents and settings\Dawn and Mike\Local Settings\Application Data\zjxenwne
2009-04-29 18:59 . 2009-04-29 19:00 -------- d-----w C:\rsit
2009-04-28 01:05 . 2009-04-28 01:05 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\zjxenwne
2009-04-27 04:32 . 2009-04-27 04:32 -------- d-----w c:\program files\Common Files\Uninstall
2009-04-27 04:32 . 2009-04-27 04:32 -------- d-----w c:\program files\PAV
2009-04-25 23:28 . 2009-04-25 23:28 -------- d-----w c:\documents and settings\Dawn and Mike\Application Data\AdwareAlert
2009-04-25 23:28 . 2009-04-25 23:29 -------- d-----w c:\program files\AdwareAlert
2009-04-24 03:27 . 2009-04-24 03:27 -------- d-----w c:\documents and settings\Dawn and Mike\Application Data\Desktopicon
2009-04-24 03:27 . 2009-04-24 03:27 -------- d-----w c:\program files\Unlocker
2009-04-24 01:55 . 2009-04-24 01:55 -------- d-----w c:\documents and settings\Dawn and Mike\Local Settings\Application Data\Help
2009-04-23 08:05 . 2009-04-23 08:05 -------- d-----w c:\documents and settings\Joey and Evan.WUBZY\Application Data\zjxenwne
2009-04-23 08:05 . 2009-04-23 08:05 -------- d-----w c:\documents and settings\Joey and Evan.WUBZY\Local Settings\Application Data\zjxenwne
2009-04-17 23:08 . 2009-04-17 23:08 -------- d-----w c:\documents and settings\Dawn and Mike\Application Data\Windows Search
2009-04-17 02:53 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 02:53 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 02:53 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 02:53 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 02:53 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 02:53 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 02:53 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 02:53 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 02:53 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 02:53 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 02:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 02:52 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-06 12:28 . 2009-04-22 20:05 -------- d-----w c:\documents and settings\Joey and Evan.WUBZY\Application Data\Move Networks
2009-04-04 22:06 . 2009-04-04 22:06 -------- d-----w c:\documents and settings\Joey and Evan.WUBZY\Application Data\Sonic
2009-04-04 22:06 . 2009-04-04 22:06 -------- d-----w c:\documents and settings\Joey and Evan.WUBZY\Application Data\Leadertech
2009-04-04 04:48 . 2009-04-04 04:48 -------- d-----w c:\documents and settings\Dawn and Mike\Application Data\WildTangent
2009-04-04 04:47 . 2009-04-04 04:48 -------- d-----w c:\documents and settings\All Users\Application Data\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 19:34 . 2008-10-02 17:09 -------- d-----w c:\program files\Dl_cats
2009-04-29 19:30 . 2005-08-16 08:18 143872 ----a-w c:\windows\system32\qieqwven.dll
2009-04-29 19:30 . 2005-08-16 08:18 103424 ----a-w c:\windows\system32\qqqbwjj.dll
2009-04-29 19:28 . 2009-02-27 14:23 -------- d-----w c:\program files\Common
2009-04-29 19:00 . 2006-09-05 18:30 -------- d-----w c:\program files\Trend Micro
2009-04-28 19:15 . 2008-10-07 14:02 1294 ----a-w c:\documents and settings\Dawn and Mike\Application Data\wklnhst.dat
2009-04-22 18:17 . 2008-10-27 20:04 142 ----a-w c:\documents and settings\Joey and Evan.WUBZY\Local Settings\Application Data\fusioncache.dat
2009-04-17 09:37 . 2006-09-05 18:32 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-29 16:13 . 2008-11-18 17:26 -------- d-----w c:\program files\LimeWire
2009-03-24 23:28 . 2008-10-03 20:30 69840 ----a-w c:\documents and settings\Dawn and Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-24 02:10 . 2009-03-24 02:10 -------- d-----w c:\program files\Common Files\Napster Shared
2009-03-24 02:10 . 2006-09-05 18:23 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-03-24 02:10 . 2006-09-05 18:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 23:46 . 2009-03-23 23:46 -------- d-----w c:\program files\Sony
2009-03-20 16:10 . 2009-03-20 16:10 -------- d-----w c:\program files\Yontoo Layers Client for Internet Explorer
2009-03-17 16:02 . 2009-03-17 16:02 315 ----a-w c:\windows\EReg515.dat
2009-03-17 16:01 . 2008-10-14 18:04 -------- d-----w c:\program files\Disney Interactive
2009-03-13 14:57 . 2009-03-13 14:57 -------- d-----w c:\program files\Windows Desktop Search
2009-03-13 14:49 . 2008-11-17 02:51 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-12 22:09 . 2009-03-12 20:18 386 --s-a-w c:\windows\system32\2705650917.dat
2009-03-12 21:56 . 2005-08-16 08:18 14336 ----a-w c:\windows\system32\svchost.exe
2009-03-12 04:59 . 2009-03-12 04:58 -------- d-----w c:\program files\BearShare Applications
2009-03-06 14:22 . 2005-08-16 08:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 08:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-03-13 05:23 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 08:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 08:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 08:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 08:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 08:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 08:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 08:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 08:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 02:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 08:18 56832 ----a-w c:\windows\system32\secur32.dll
2008-11-20 05:15 . 2008-11-13 19:40 88 --sh--r c:\windows\system32\D92C754414.sys
2008-11-20 05:15 . 2008-11-13 19:40 3350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{003EDC54-4093-4FEC-8653-B12C51713C6a}]
2009-04-29 19:30 143872 ----a-w c:\windows\system32\qieqwven.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0075027A-EC38-4A36-B794-D04F499718D5}]
2009-04-29 19:30 143872 ----a-w c:\windows\system32\qieqwven.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{007DB8A9-4093-4FEC-8653-B12C51713C6a}]
2009-04-29 19:30 143872 ----a-w c:\windows\system32\qieqwven.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2E8E020-F91E-4A63-A75C-DB28DF616730}]
2004-08-10 09:00 103424 ----a-w c:\windows\system32\goqythk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2008-10-01 07:40 192960 ------w c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdwareAlert"="c:\program files\AdwareAlert\AdwareAlert.exe" [2009-04-23 9097216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-05 169984]
"BuildBU"="c:\dell\bldbubg.exe" [2006-09-05 61440]
"DLCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-02-24 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2006-02-14 430080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-05 98304]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-09-24 206064]
"PAV"="c:\program files\PAV\pav.exe" [2009-04-27 1052672]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-10 282624]

c:\documents and settings\Joey and Evan.WUBZY\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-5 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-02 17:07 10536 ----a-w c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service
"34315:TCP"= 34315:TCP:*:Disabled:@xpsp2res.dll,-22009
"62200:TCP"= 62200:TCP:*:Disabled:@xpsp2res.dll,-22009
"4517:TCP"= 4517:TCP:*:Disabled:@xpsp2res.dll,-22009
"60073:TCP"= 60073:TCP:@xpsp2res.dll,-22009
"34724:TCP"= 34724:TCP:@xpsp2res.dll,-22009

S3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe [2006-05-11 491520]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AdwareAlert Scheduled Scan.job
- c:\program files\AdwareAlert\AdwareAlert.exe [2009-04-23 11:09]

2009-04-26 c:\windows\Tasks\At1.job
- c:\windows\system32\goqythk.dll [2005-08-16 09:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2E59498D-7E44-4452-9044-0973B080B9E8} - c:\windows\system32\wincontrol.dll
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
HKLM-Run-autochk - c:\windows\system32\autochk.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc558.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=632552348&da=0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.myspace.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm011RUUS
Trusted Zone: musicmatch.com\online
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 15:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3024)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\MI1933~1\Office10\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
c:\windows\system32\searchindexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\program files\Trend Micro\Internet Security 12\pccmain.exe
.
**************************************************************************
.
Completion time: 2009-04-29 15:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 19:38

Pre-Run: 133,336,186,880 bytes free
Post-Run: 135,174,029,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

400 --- E O F --- 2009-04-17 09:44

HERE IS THE HIGHJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:43 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dawn and Mike\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc558.mail.yahoo.com/mc/showFold...552348&da=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: (no name) - {003EDC54-4093-4FEC-8653-B12C51713C6a} - C:\WINDOWS\system32\qieqwven.dll
O2 - BHO: (no name) - {0075027A-EC38-4A36-B794-D04F499718D5} - C:\WINDOWS\system32\qieqwven.dll
O2 - BHO: (no name) - {007DB8A9-4093-4FEC-8653-B12C51713C6a} - C:\WINDOWS\system32\qieqwven.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE BHO Utility - {5AB7104A-B71F-49AD-9154-F7F8806AE848} - C:\Program Files\Surf Canyon\surfcanyon.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {F2E8E020-F91E-4A63-A75C-DB28DF616730} - c:\windows\system32\goqythk.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [PAV] C:\Program Files\PAV\pav.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm011RUUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {E1CC21B1-A5FB-466e-A82D-86701EA75256} - C:\Program Files\Surf Canyon\surfcanyon.dll (HKCU)
O9 - Extra 'Tools' menuitem: Surf Canyon Options - {E1CC21B1-A5FB-466e-A82D-86701EA75256} - C:\Program Files\Surf Canyon\surfcanyon.dll (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1226724229703
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ System Application (COMSysApp) - CMD Technology, Inc. - (no file)
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9301 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 29 April 2009 - 03:58 PM

You have another topic below. I'm closing this topic .

http://www.bleepingcomputer.com/forums/ind...p;#entry1242369

Edited by fenzodahl512, 29 April 2009 - 04:08 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users