Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have cleaned over 2200 infected objects but.....


  • This topic is locked This topic is locked
50 replies to this topic

#1 godawgs

godawgs

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 10 April 2010 - 12:00 PM

Attached File  Attach.txt   16.25KB   9 downloads Hi,
I'm trying to clean my sister's computer. It is a Dell Dimension 4600 desktop. Pentium4 2.4Ghz processor. Windows XP Pro with SP2. 512MB of RAM. I.E.7. It hasn't been turned on since 11/2008 because everytime it booted up, all kinds of folders would open automatically (system32, windows help & support center, ect:) and all kinds of application errors would pop up. And a program called Spywareguard would start a scan....things like that. Evidently her son and granddaughter downloaded half of the internet.
I didn't find any working AV on the system. Though her son tells me that Norton AV was on it at one time.(Norton PC Checkup is installed now). There is a McAfee folder in C:\ProgramFiles. And in the C:\windows\Temp folder I found a folder titled Avast4. So evidently McAfee and Avast were installed at one time.(Though Norton, McAfee and Avast aren't showing in the Add/Remove Programs as installed now.

I was able to uninstall Spywareguard from Add/Remove programs.But there is still a Spywareguard in the Startup tab of MSGONFIG that says it runs from HKCU\Software\Microsoft\Windows\Curent Version\Run. I have checked all 4 user accounts on the system and there isn't a Spywareguard in that key, or any HKLM or HKCU\Software\Microsoft\Windows\Curent Version\Run or RunOnce or RunServices key. There also aren't any Spywareguard folders that I can find on the computer and all Spywareguard items in all Startup folders were deleted.

I ran DDS, but GMER.exe wouldn't run and I couldn't get Malwarebytes to even install.
Using the information posted in a Sticky in this forum, I was finally able to install and run Malwarebytes. It found over 2200 infected objects over the 4 user acounts on the computer. Cleaning those up solved the application error pop ups. I think the system32 folder opening at start up is because so much junk, like </line>, </script> ect; is trying to load at startup. Along with Spywareguard, there is a Web Spy Sweeper item in the Startup tab of msconfog also. It pos up a screen saying that the database couldn't be loaded and asking the user to reinstall the program. It only does this on two of the user accounts.

After running Malwarebytes, and cleaning the 2200+ infected objects, I was able to run GMER.
The dds.txt, attach.txt, and ark.txt files are included, attached for review.

Unless there are some other things that need to be addressed first after looking at the DDS an GMER files, the big problem left is connecting to the internet. The computer tries to connect, then says the page couldn't be found. Background on this is- In 2009, they changed ISPs. Went from Comcast to AT&T U-Verse. A gateway was installed that combined the modem and wireless router. Since the desktop wasn't working, the AT&T installed didn't turn it on to make sure it connected to the internet. The wireless router part of the gateway works because her son can connect on his laptop. Under the old ISP, a separate wireless router had to be installed. It still shows up in Hardware Devices. In Network Connections, both the Eathernet adapter and the (the originally installed Motorola) wireless router show up under Locla Area Network connectins. The eathernet adapter is shown as Enabled and Firewalled. And when the mouse hoveres over it, it shows connected. The Motorola wireless router is Disabeled. The strange thing is that if you remove the eathernet cable from the eathernet adapter in the computer and the gateway, plug it into the Motorola wireless adapter and the gateway, plug the Motorola to the wall plug-in, Enable the Motorola in Network Connections, you can connect to the internet.

In the Attach.txt file, (I think), there is a line that says two conflicting IP addresses were found, so in order to prevent confusion, something was turned off or disabeled.
I need to get someont to look at the files and direct me on what to do next. I hope this has been detailed and informative enough.
Thanks for the help.

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by System Admin at 19:34:00.90 on Thu 04/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.298 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter 1\OdHost.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter 1\WLUSBCfg.exe
C:\Documents and Settings\System Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dellnet.com
uDefault_Page_URL = hxxp://www.dellnet.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = hxxp://localhost;
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {19284520-7b8c-b8c3-f6df-b5ae92e2718d} - c:\progra~1\rectda~1\Cakecopy.exe
BHO: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: : {8da5457f-a8aa-4ccf-a842-70e6fd274094} - c:\progra~1\common~1\wintools\WToolsT.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: {339BB23F-A864-48C0-A59F-29EA915965EC} - No File
TB: {4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {84938242-5C5B-4A55-B6B9-A1507543B418} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {9FB3908C-6565-4CB0-95F8-E9F85258723C} - No File
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\windows\system32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
mRun: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\windows\system32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
mRun: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\windows\system32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
mRun: [} el] c:\windows\system32\} else {
mRun: [zasfizhw] c:\windows\ondusgrb.exe
mRun: [WinTools] c:\progra~1\common~1\wintools\WToolsA.exe
mRun: [Windows AdStatus] c:\program files\windows adstatus\WinStat.exe
mRun: [wdskctl] c:\windows\wdskctl.exe
mRun: [wbiput] c:\windows\wbiput.exe
mRun: [var strT] c:\windows\system32\var strTemp;
mRun: [var strP] c:\windows\system32\var strPort;
mRun: [var NN4=d.layers?] c:\windows\system32\var NN4=d.layers?1:0;
mRun: [var d=docum] c:\windows\system32\var d=document;
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TBPS] c:\progra~1\toolbar\TBPS.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [spywareguard] c:\program files\spyware guard 2008\spywareguard.exe
mRun: [Slow title bin 4] c:\documents and settings\all users\application data\defaultdartslowtitle\SlowBows.exe
mRun: [Road send funk fork] c:\documents and settings\all users\application data\media wait road send\proxy flag.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nvid] c:\windows\system32\gtftjtji.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [if(!NN REG_SZ ] {
mRun: [function redirec] c:\windows\system32\function redirect(){
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dinst] c:\windows\dinst.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [dbyvdid] c:\windows\system32\xbvhvm.exe r
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [<title>advertisement</ti] c:\windows\system32\<title>advertisement</title>
mRun: [<script language="javascript" type="text/javascri] c:\windows\system32\<script language="javascript" type="text/javascript">
mRun: [<nofra] c:\windows\system32\<noframes>
mRun: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\windows\system32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
mRun: [<h] c:\windows\system32\<head>
mRun: [<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=o] c:\windows\system32\<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">
mRun: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\windows\system32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
mRun: [<body bgcolor="#ffffff" text="#0000] c:\windows\system32\<body bgcolor="#ffffff" text="#000000">
mRun: [</scr] c:\windows\system32\</script>
mRun: [</nofra] c:\windows\system32\</noframes>
mRun: [</h] c:\windows\system32\</html>
mRun: [</frame] c:\windows\system32\</frameset>
mRun: [</b] c:\windows\system32\</body>
mRun: [// Browser Detec] c:\windows\system32\// Browser Detection
mRun: [#search] c:\windows\system32\#searchbox
mRun: [#relatedsear] c:\windows\system32\#relatedsearches
mRun: [ top.location.replace(strTe REG_SZ ] top.location.replace(strTemp);
mExplorerRun: [rare] c:\program files\video activex object\pmsnrr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\motoro~1.lnk - c:\program files\motorola wireless\wu830g usb adapter 1\Startup.EXE
mPolicies-explorer: <NO NAME> =
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\nita fuller\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1094246790546
DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - hxxp://www.streamaudio.com/download/ccpm_0237.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/181ba6867e953d18b505/netzip/RdxIE601.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.55.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/shpo/default/shapo.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab34035.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
AppInit_DLLs: xalooq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - c:\windows\system32\cwgppb.dll
STS: exemplars: {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - c:\windows\system32\cwgppb.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXNHAsq

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S1 ethbupjn;ethbupjn;c:\windows\system32\drivers\ethbupjn.sys [2008-12-11 134976]
S2 TBPSSvc;WebSeach Toolbar support NT service;c:\progra~1\toolbar\tbpssvc.exe --> c:\progra~1\toolbar\TBPSSvc.exe [?]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [2006-2-2 336256]

============== File Associations ===============

.txt=RapidCSS.Document

=============== Created Last 30 ================

2010-04-08 22:48:39 0 d-----w- c:\program files\Dynamic Toolbar
2010-04-04 16:30:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:30:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 16:30:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:30:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-03 23:15:26 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-04-03 23:15:26 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-04-03 23:15:25 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-04-03 23:15:25 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-04-03 23:15:22 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-04-03 23:15:07 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-04-03 23:15:06 28288 ----a-w- c:\windows\system32\dllcache\xjis.nls
2010-04-03 23:15:05 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-04-03 23:15:00 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-04-03 23:13:59 25600 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-04-03 23:12:59 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
2010-04-03 23:11:59 75392 ----a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-04-03 23:10:59 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll
2010-04-03 23:09:59 52255 ----a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-04-03 23:08:59 48768 ----a-w- c:\windows\system32\dllcache\maestro.sys
2010-04-03 23:07:59 13056 ----a-w- c:\windows\system32\dllcache\inport.sys
2010-04-03 23:06:59 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2010-04-03 23:05:59 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys
2010-04-03 23:04:59 50176 ----a-w- c:\windows\system32\dllcache\cyyport.sys
2010-04-03 23:03:59 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2010-04-03 23:02:57 9216 ----a-w- c:\windows\system32\dllcache\authfilt.dll
2010-04-03 23:01:42 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2010-04-03 23:01:31 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-04-03 23:01:08 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-04-03 23:01:08 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-04-03 23:01:07 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-04-03 23:01:06 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-04-03 23:01:06 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-04-03 23:01:06 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-04-03 23:00:52 94720 ----a-w- c:\windows\system32\dllcache\certmap.ocx

==================== Find3M ====================

2010-04-04 20:25:50 148618 --sha-w- c:\windows\system32\qsAHNXbc.ini2
2006-03-26 23:54:48 845 ----a-w- c:\program files\INSTALL.LOG
2006-03-25 23:10:04 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-03-16 00:43:14 4286 ----a-w- c:\program files\wrench.ico
2006-03-15 20:46:06 4286 ----a-w- c:\program files\GameFly.ico
2006-01-24 20:40:58 3262 ----a-w- c:\program files\jamster.ico

============= FINISH: 19:34:41.21 ===============

Attached Files

  • Attached File  ark.txt   46.13KB   10 downloads

Edited by godawgs, 10 April 2010 - 12:01 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:26 AM

Posted 10 April 2010 - 12:22 PM

Hello godawgs,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


We have a severely infected machine here, but no worries we will get you cleaned up in no time.
Please refrain from using this machine on the internet other than replying here or downloading tools we require.
When we get your machine most of the way clean I will give you some links to some good free Antivirus to put on the machine. Putting one on at this time would be useless as it would be going off every 2 seconds.

1.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

2.
The following is referring to RegCure 1.0.0.43 and Registry Cleaner.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


3.
Please update Malwarebytes Anti-Malware and do a Full Scan and post the resulting log.

4.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

5.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
MBAM log
Rkill log
Combofix.txt



" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 godawgs

godawgs
  • Topic Starter

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 10 April 2010 - 01:42 PM

fireman4it,
Thanks for helping.
Couple of things I'm not sure about and one thing I am.
  1. I will uninstall Viewpoint, Viewpoint Manager and Viewpoint Media Player. Should I also disable Viewpoint Services in Services.msc?
  2. I don't know of any anti-malware running on the system with real time protection enabled. Malwarebytes is the free version and does not include real time protection.
    Spywareguard and Spysweeper aren't installed anymore according to Add/Remove Programs. If the logs you looked at show anything running, I don't know how to disable them.
  3. I don't know if the system has Windows Recovery Console installed or not, but if it doesn't, there is no way to download it from the internet since I am unable to connect to the internet yet with this system. And they don't have any idea where the OEM System disc that came with the system is.
What I have been doing is downloading the files needed to my computer, burning them to a cd and taking it to the infected computer, copying them to the hard drive and running them from there. When I need to post the logs, I burned them to a cd from the desktop of the infected computer then brought that cd back to my computer to copy from/attach from and include in my posts.
Thanks for your help and I'll post the logs you requested in my next reply.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:26 AM

Posted 10 April 2010 - 04:30 PM

Hello

QUOTE
1. I will uninstall Viewpoint, Viewpoint Manager and Viewpoint Media Player. Should I also disable Viewpoint Services in Services.msc?
2. I don't know of any anti-malware running on the system with real time protection enabled. Malwarebytes is the free version and does not include real time protection.
Spywareguard and Spysweeper aren't installed anymore according to Add/Remove Programs. If the logs you looked at show anything running, I don't know how to disable them.
3. I don't know if the system has Windows Recovery Console installed or not, but if it doesn't, there is no way to download it from the internet since I am unable to connect to the internet yet with this system. And they don't have any idea where the OEM System disc that came with the system is.


1. Viewpoint service should be uninstalled when you uninstall viewpoint. If it does not I will take care of that for you!
2. Actually SpywareGuard is a rogue Security program and we will be taking care of that now.
3. Combofix will tell you if you don't have it installed. If you don't I can tell you where to go to download it and burnit to download to your machine.smile.gif

I will wait for your logs patiently.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 godawgs

godawgs
  • Topic Starter

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 11 April 2010 - 12:33 AM

fireman4it,

Update to my second post (post #3 in the thread) describing not being able to connect to the internet.

First, I went to the infected machine and copied an updated rules.ref file to the C:\Documents and Settings\All Users\Program Data\Malwarebytes folder and ran a full scan.
The scan took over 3.5 hrs. Mainly because when the program got to all the quarantened objects in each users profile it really slowed down. Once everything is done, will I be able to delete all the items in the quarantened folder for each user or will they have to stay in there forever?

Your first reply said to refrain from making any changes to the computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.

However, after finishing the Malwarebytes scan, I opened Network Connections to see if I could find the problem with not being able to connect to the internet. I found that DCHP was not enabled on the LAN Ethernet adapter. I changed the TCP/IP settings to enable DCHP and now the computer will connect to the internet and load pages. So tomorrow (Sunday) I will go back and uninstall the Viewpoint, Registry Cleaner and RegCure programs that you said I could uninstall. Then I will download RKill and ComboFix and run them and if ComboFix needs to download and install the Windows Recovery Console, the infected machine should be able to do it. Then I should be able to post the results directly from the computer we are trying to clean rather than having to take the log files back to my computer and post from it.

Thanks
jc

Edited by godawgs, 11 April 2010 - 12:35 AM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:26 AM

Posted 11 April 2010 - 10:24 AM

Hello, also please include the MalwareBytes log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 godawgs

godawgs
  • Topic Starter

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 11 April 2010 - 01:05 PM

Back at ya fireman,

Here are the logs you requested:

MBAM.log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3975

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/10/2010 7:24:27 PM
mbam-log-2010-04-10 (19-24-27).txt

Scan type: Full scan (C:\|)
Objects scanned: 248903
Time elapsed: 2 hour(s), 34 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


Rkill.log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as System Admin on 04/11/2010 at 13:01:38.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\System Admin\Desktop\rkill.pif


Rkill completed on 04/11/2010 at 13:01:41.


Combofix.txt

ComboFix 10-04-10.02 - System Admin 04/11/2010 13:09:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.295 [GMT -4:00]
Running from: c:\documents and settings\System Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Larry Fuller\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\Dynamic Toolbar
c:\program files\INSTALL.LOG
c:\program files\TBONAS
c:\program files\TBONAS\bestoffers_icon_01.ico
c:\program files\TBONAS\center_wnd.htm
c:\program files\TBONAS\comp.htm
c:\program files\TBONAS\grb12.rtk
c:\program files\TBONAS\TBONcomp.dll
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\dirty_dishes.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\foodtray.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\heart1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\heart2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\heart3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\menu_down.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\menu_up.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\mop_prop.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\accessories\ticket.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\music\cafe\cafe_music_a1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\music\cafe\cafe_music_a2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\music\cafe\cafe_music_a3.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\music\cafe\cafe_music_a4.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\baby_cry.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\chef_cook1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\closing_time.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\customer_ditch.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\dialog_down.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\dialog_up.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\drink_table.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\expert.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\highchair_deliver.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\highchair_pickup.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\keystroke2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\level_lose.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\level_win.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\menu_click.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\menu_rollover.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\mop_pickup.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\mop_spill.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_bring_check_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_dropoff_drinks_1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_food_ready_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_gain_heart_1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_menu_down.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_pencil_write_2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\sfx_seat_people_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\spill.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\table_drink.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\audio\sfx\tip_2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\flo_lose.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\flo_win.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\fullscreendialog.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\high_score_menu_bg.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\levelintro.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\levelintro.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\levelover.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\longdialog.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\longdialog.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\mainmenu_logo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\popup.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\popup.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\backgrounds\upgrade_lines.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\arrowdown_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\arrowdown_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\arrowdown_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\arrowup_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\arrowup_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\arrowup_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\checkbox_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\checkbox_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\checkbox_rotated_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\checkbox_rotated_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\decor_highlight.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\decor_normal.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\decor_selected.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a_large_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a_large_2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a_large_3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a_small_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a_small_2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a_small_3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\dialog_button_a3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\left_arrow_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\left_arrow_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\left_arrow_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button1_mask.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button2_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button2_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button2_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\main_menu_button2_mask.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\map_button_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\map_button_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\map_button_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\right_arrow_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\right_arrow_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\right_arrow_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\upgrade_down.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\upgrade_over.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\upgrade_up.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\buttons\welcome_player.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\config\actionpoints.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\config\career.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\config\customer.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\config\endless.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\config\global.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\config\powerups.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\cook\stove.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\cursor\arrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\cursor\click.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\cursor\click2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\cursor\grab.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\cursor\open.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\dad_male\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\dad_male\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\dad_male\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\dad_male\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\dad_male\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\dad_male\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\dad_male\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\kid_male\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\kid_male\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\kid_male\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\kid_male\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\kid_male\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\kid_male\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\kid_male\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\baby.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\baby.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\blue_baby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\red_baby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\mom_female\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\young_female\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\young_female\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\young_female\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\young_female\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\young_female\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\young_female\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\customers\young_female\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\flo\idle.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\flo\idle.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\flo\lower.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\flo\lower.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\flo\upper.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\flo\upper.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\fonts\mercurius.mvec
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\bench.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\bench.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\blue_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\chair.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\chair.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\dirt2top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\dirt4top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\dishcart.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\dishcart.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\green_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\highchair_prop_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\highchair_prop_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\highchairbaby.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\highchairbaby.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\luxury_bench.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\luxury_bench.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\mop_station_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\mop_station_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\mop_station_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\podium.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\podium_heart.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\podium_heart.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\purple_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\radio.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\red_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\spill.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\spill.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\stereo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\ticketstation.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\ticketstation.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\furniture\yellow_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\family.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help_dividerline.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help1_colormatch1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help1_colormatch2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help1_noise.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help1_score.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help2_cleardishes.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help2_givecheck.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help2_pickupfood.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help2_servefood.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\help\help2_takeorder.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\hiscore\local-hs-bb.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\hiscore\p1icon.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\career_1_1.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\career_1_2.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\career_1_3.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\career_1_4.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\career_1_5.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\career_1_6.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\endless_1_1.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\endless_1_1_a.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\endless_1_1_b.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\layouts\endless_1_1_c.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\playfirstlogo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\background.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\chairs\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\chairs\green.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\chairs\green.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\chairs\grey.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\chairs\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\food\cup1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\food\food.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\food\food.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\frames\2_0.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\frames\2_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\furniture\drinkstation1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\furniture\drinkstation1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\furniture\drinkstation1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\people\cook.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\people\cook.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\props\cup_prop1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\tables\2top.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\tables\2top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\tables\4top.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\tables\4top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_0.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_1.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\cafe\upgrades.xml
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\restaurants\tableshadow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\careerupgrade.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\choosedifficulty.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\closeconfirm.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\entername.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\game.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\getmoregames.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\help1.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\help2.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\hiscore.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\hiscoreinfo.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\hiscoresubmit.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\levelintro.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\levelover.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\loading.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\mainloop.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\mainmenu.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\ok.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\pause.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\style.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\upgrade.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\upsell.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\scripts\yesno.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\strings.xml
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\angersmoke.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\angersmoke.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\bubbles\request_bubble.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\bubbles\request_mop.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\bubbles\request_rejectmeal.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\chairflags.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\chairflags.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\check.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\checkmark.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\closed.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\coinflip.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\coinflip.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\decor_lines.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\dollar.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\expert.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\foodpoof.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\foodpoof.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\heartgrow.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\heartgrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\jar.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\jar.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\lives_icon.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\noisering.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\notes\music_boost_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\notes\music_boost_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\notes\music_boost_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\notes\music_boost_d.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\notes\music_boost_e.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\notes\music_boost_f.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\tablenumber_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\tablenumber_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\traynumber.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\tutorialarrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\tutorialbox.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\ui_base.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\ui_hand.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\ui_timer_off.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\ui_timer_on.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgradeanim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_bench_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_bench_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_bench_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_drink_station1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_drink_station1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_drink_station1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_luxury_bench_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_luxury_bench_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_luxury_bench_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_oven_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_oven_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_oven_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_podium_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_podium_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_podium_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_powerbars_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_powerbars_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_powerbars_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_radio_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_radio_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_radio_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_stereo_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_stereo_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_stereo_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_table_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_table_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\ui\upgrades\icon_table_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\upsell\dd1.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\upsell\dd2.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\upsell\dd3.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\assets\upsell\dd4.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55\dinerdash2.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\buts.bin
c:\windows\system32\Cache\chart 1.bmp
c:\windows\system32\Cache\ding.bmp
c:\windows\system32\Cache\disk 1.bmp
c:\windows\system32\Cache\document.bmp
c:\windows\system32\Cache\mail unreaded.bmp
c:\windows\system32\Cache\msg.bin
c:\windows\system32\Cache\peoples 1.bmp
c:\windows\system32\Cache\search find 2.bmp
c:\windows\system32\Cache\web app.bmp
c:\windows\system32\cieduboy.ini
c:\windows\system32\Data
c:\windows\system32\idsarlnw.ini
c:\windows\system32\kqwpxdyo.ini
c:\windows\system32\qlyhpocw.ini
c:\windows\SYSTEM32\qsAHNXbc.ini
c:\windows\SYSTEM32\qsAHNXbc.ini2
c:\windows\system32\skdbykwi.ini
c:\windows\system32\slqvunfl.ini
c:\windows\system32\tslgsnlh.ini
c:\windows\system32\wcophylq.dll
c:\windows\system32\yqhmwlqy.ini
c:\windows\Tasks\caerigqt.job
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 23:42 . 2010-04-11 16:43 -------- d-----w- c:\documents and settings\System Admin\Local Settings\Application Data\Google
2010-04-10 20:00 . 2010-04-10 20:00 -------- d-----w- c:\documents and settings\System Admin\Application Data\Malwarebytes
2010-04-09 02:34 . 2010-04-09 02:34 -------- d-----w- c:\documents and settings\System Admin\Local Settings\Application Data\Help
2010-04-04 22:49 . 2010-04-04 22:49 -------- d-----w- c:\documents and settings\Larry Fuller\Application Data\Malwarebytes
2010-04-04 21:08 . 2010-04-04 21:08 -------- d-----w- c:\documents and settings\Nick Fuller\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\Nita Fuller_2\Application Data\Malwarebytes
2010-04-04 16:30 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:30 . 2010-04-04 23:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:30 . 2010-04-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 16:30 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 16:12 . 2010-04-04 16:12 -------- d-----w- c:\documents and settings\Nita Fuller_2\Application Data\Corel
2010-04-03 23:15 . 2004-08-04 04:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-04-03 23:15 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-04-03 23:15 . 2001-08-18 02:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-04-03 23:15 . 2001-08-18 02:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-04-03 23:15 . 2001-08-18 02:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-04-03 23:15 . 2001-08-18 02:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-04-03 23:15 . 2001-08-17 16:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-04-03 23:15 . 2004-08-04 04:56 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-04-03 23:13 . 2004-08-04 03:08 25600 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-04-03 23:12 . 2002-08-29 10:00 101376 ----a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-04-03 23:11 . 2001-08-17 18:56 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2010-04-03 23:10 . 2001-08-18 02:36 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll
2010-04-03 23:09 . 2001-08-17 18:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2010-04-03 23:08 . 2001-08-17 16:19 48768 ----a-w- c:\windows\system32\dllcache\maestro.sys
2010-04-03 23:07 . 2001-08-17 17:47 13056 ----a-w- c:\windows\system32\dllcache\inport.sys
2010-04-03 23:06 . 2001-08-18 02:36 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2010-04-03 23:05 . 2001-08-17 17:50 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys
2010-04-03 23:04 . 2001-08-18 02:36 27648 ----a-w- c:\windows\system32\dllcache\cyyports.dll
2010-04-03 23:03 . 2001-08-18 02:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2010-04-03 23:02 . 2002-08-29 10:00 9216 ----a-w- c:\windows\system32\dllcache\authfilt.dll
2010-04-03 23:01 . 2002-08-29 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2010-04-03 23:01 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-04-03 23:01 . 2002-08-29 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-04-03 23:01 . 2002-08-29 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-04-03 23:01 . 2002-08-29 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-04-03 23:01 . 2002-08-29 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-04-03 23:01 . 2002-08-29 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-04-03 23:01 . 2002-08-29 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 23:45 . 2003-12-16 22:01 -------- d-----w- c:\program files\Google
2010-04-05 00:10 . 2007-07-22 19:31 -------- d-----w- c:\program files\Nick Arcade
2010-03-27 22:17 . 2008-01-06 14:37 -------- d-----w- c:\program files\MySpace
2006-03-25 23:10 . 2006-03-25 23:10 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-03-16 00:43 . 2006-03-26 23:54 4286 ----a-w- c:\program files\wrench.ico
2006-03-15 20:46 . 2006-03-26 23:54 4286 ----a-w- c:\program files\GameFly.ico
2006-01-24 20:40 . 2006-03-26 23:54 3262 ----a-w- c:\program files\jamster.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var NN4=d.layers?"="c:\windows\System32\var NN4=d.layers?1:0;" [?]
"} el"="c:\windows\System32\} else {" [X]
"var strT"="c:\windows\System32\var strTemp;" [X]
"var strP"="c:\windows\System32\var strPort;" [X]
"var d=docum"="c:\windows\System32\var d=document;" [X]
"if(!NN"="{" [X]
"function redirec"="c:\windows\System32\function redirect(){" [X]
"<nofra"="c:\windows\System32\<noframes>" [X]
"<META HTTP-EQUIV=Pragma CONTENT=no-cac"="c:\windows\System32\<META HTTP-EQUIV=Pragma CONTENT=no-cache>" [X]
"<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffff"="c:\windows\System32\<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffffff>" [X]
"<body bgcolor=#ffffff text=#0000"="c:\windows\System32\<body bgcolor=#ffffff text=#000000>" [X]
"#search"="c:\windows\System32\#searchbox " [X]
"#relatedsear"="c:\windows\System32\#relatedsearches" [X]
""="top.location.replace(strTemp);" [X]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-09-19 294912]
"wdskctl"="c:\windows\wdskctl.exe" [2006-03-26 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-14 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 86102]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

c:\documents and settings\Larry Fuller\Start Menu\Programs\Startup\
Remote Assistance.lnk - c:\windows\SYSTEM32\rcimlby.exe [2002-8-29 35840]

c:\documents and settings\Nick Fuller\Start Menu\Programs\Startup\
Remote Assistance.lnk - c:\windows\SYSTEM32\rcimlby.exe [2002-8-29 35840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Motorola Wireless USB Adapter.lnk - c:\program files\Motorola Wireless\WU830G USB Adapter 1\Startup.EXE [2006-2-2 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\Program Files\\Motorola Wireless\\WU830G USB Adapter 1\\WLUSBCfg.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 ethbupjn;ethbupjn;c:\windows\SYSTEM32\DRIVERS\ethbupjn.sys [12/11/2008 3:28 AM 134976]
S2 TBPSSvc;WebSeach Toolbar support NT service;c:\progra~1\Toolbar\TBPSSvc.exe --> c:\progra~1\Toolbar\TBPSSvc.exe [?]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\SYSTEM32\DRIVERS\wind502u.sys [2/2/2006 2:08 AM 336256]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2003-10-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = hxxp://localhost;
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Nita Fuller\Start Menu\Programs\IMVU\Run IMVU.lnk
.
.
------- File Associations -------
.
.txt=RapidCSS.Document
.
- - - - ORPHANS REMOVED - - - -

BHO-{19284520-7B8C-B8C3-F6DF-B5AE92E2718D} - c:\progra~1\RECTDA~1\Cakecopy.exe
HKLM-Run-zasfizhw - c:\windows\ondusgrb.exe
HKLM-Run-WinTools - c:\progra~1\COMMON~1\WinTools\WToolsA.exe
HKLM-Run-Windows AdStatus - c:\program files\Windows AdStatus\WinStat.exe
HKLM-Run-wbiput - c:\windows\wbiput.exe
HKLM-Run-TBPS - c:\progra~1\Toolbar\TBPS.exe
HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
HKLM-Run-Slow title bin 4 - c:\documents and settings\All Users\Application Data\DefaultDartSlowTitle\SlowBows.exe
HKLM-Run-Road send funk fork - c:\documents and settings\All Users\Application Data\Media Wait Road Send\proxy flag.exe
HKLM-Run-nvid - c:\windows\System32\gtftjtji.exe
HKLM-Run-Dinst - c:\windows\dinst.exe
HKLM-Run-dbyvdid - c:\windows\system32\xbvhvm.exe
AddRemove-Internet Explorer Security Plugin 2006 - c:\program files\Video ActiveX Object\iesuninst.exe
AddRemove-Internet Security Add-On - c:\program files\Video ActiveX Object\isunst.exe
AddRemove-Public Messenger ver 2.03 - c:\program files\Video ActiveX Object\pmunst.exe
AddRemove-WinTools_ESIES - c:\progra~1\COMMON~1\WinTools\WToolsA.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 13:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????? ??????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...


c:\windows\system32\wuaueng.dll.wusetup.319968.bak 1809944 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"document.write ('<iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\" src=\"http://ads.partner2profit.com/abs_adserve....iframe>');"
"document.write('<ilayer width=\"720\" height=\"300\" left=\"0\" top=\"0\" visibility=\"SHOW\" src=\"http://ads.partner2profit.com/abs_adserve....ilayer>');"
"<title>beneditutti.com</title><meta name=\"keywords\" content=\"beneditutti.com\"><meta name=\"description\" content=\"Search the web at beneditutti.com\"><meta name=\"robots\" content=\"INDEX, FOLLOW\"><meta name=\"revisit-after\" content=\"10\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859"=expand:"c:\\WINDOWS\\System32\\<title>beneditutti.com</title><meta name=\"keywords\" content=\"beneditutti.com\"><meta name=\"description\" content=\"Search the web at beneditutti.com\"><meta name=\"robots\" content=\"INDEX, FOLLOW\"><meta name=\"revisit-after\" content=\"10\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">"
"<script language=\"javascript\" type=\"text/javascri"="c:\\WINDOWS\\System32\\<script language=\"javascript\" type=\"text/javascript\">"
"<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cac"="c:\\WINDOWS\\System32\\<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
"<frame src=\"http://searchportal.information.com/?a_id=...\<frame src=\"http://searchportal.information.com/?a_id=...ilter=off\">"
"<body leftmargin=\"0\" topmargin=\"0\" marginwidth=\"0\" marginheight=\"0\" bgcolor=\"#ffff"="c:\\WINDOWS\\System32\\<body leftmargin=\"0\" topmargin=\"0\" marginwidth=\"0\" marginheight=\"0\" bgcolor=\"#ffffff\">"
"<body bgcolor=\"#ffffff\" text=\"#0000"="c:\\WINDOWS\\System32\\<body bgcolor=\"#ffffff\" text=\"#000000\">"
" top.location.replace(strTe"="c:\\WINDOWS\\System32\\\09top.location.replace(strTemp);"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3260)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\windows\BCMSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Motorola Wireless\WU830G USB Adapter 1\WLUSBCfg.exe
c:\windows\SoftwareDistribution\Download\4a78de12f193191bac68c80878ef4c27\update\update.exe
.
**************************************************************************
.
Completion time: 2010-04-11 13:27:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 17:27

Pre-Run: 58,006,081,536 bytes free
Post-Run: 60,067,328,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 43B64EB500805211AB5780EF5A82E4AF

I will await your response.
Thanks for the help.



#8 godawgs

godawgs
  • Topic Starter

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 11 April 2010 - 01:55 PM

fireman4it,

New development.
Right after I posted the log files you requested, I shut down the conputer. At the "Shutting Down Windows" screen this message came up:

"Installing 52 downloaded updates.
Do not turn off or unplug your computer. It will turn off automatically".

"Installing 1 of 52 updates"

The computer then installed 52 updates and turned off.

I know that Automatic Updates wre turned off when running Rkill and ComboFix.
All I can think of is that ComboFix turned the update service back on.

Anyway, I waited a few minutes and turned the computer on again. After logging in the following window opened up:

Windows Genuine Advantage Notifications-Installation

It was the installation program for the Windows Genuine Advantage Update tool.

I did not install it per your request that nothing be installed/uninstalled until we are finished. And I didn't know that "Automatic Updates" had been turned back on.

By the way, the System32 folder still comes up right after logging on.

Thanks

godawgs





#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:26 AM

Posted 11 April 2010 - 02:18 PM

Hello,

Looks like we got the main infection. thumbup2.gif

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

File::
c:\windows\System32\var
c:\windows\wdskctl.exe
c:\windows\System32\zwebauth.dll
c:\windows\SYSTEM32\DRIVERS\ethbupjn.sys
c:\progra~1\Toolbar\TBPSSvc.exe

Folder::
c:\progra~1\Toolbar

DDS::
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Nita Fuller\Start Menu\Programs\IMVU\Run IMVU.lnk

Registry::
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll,schannel.dll,digest.dll,msnsspc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var NN4=d.layers?"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"} el"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var strT"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var strP"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var d=docum"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"if(!NN"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"function redirec"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<nofra"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<META HTTP-EQUIV=Pragma CONTENT=no-cac"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffff"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<body bgcolor=#ffffff text=#0000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"#search"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"#relatedsear"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wdskctl"=-

Driver::
ethbupjn
TBPSSvc


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
Combofix.txt
Eset log
A new DDS log
No need for Attach.txt this time
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 godawgs

godawgs
  • Topic Starter

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 11 April 2010 - 04:26 PM

Hello fireman,
This computer was used mainly for my sister to view/print recipes, do e-mail ect;
And for her kid/grandkid to paly games.
Not having an AV for so long and having the firewall turned off and downloading everything on the web go us here.
There has never been any critical data on the computer. She was thinking of using it, after it got cleaned up, to do on-line shopping, but she now knows that is not possible without formatting and reinstalling the operatng system.
So I want to continue to clean the machine.

I started following the indtructions in you last post. I copied the script to a text file and named it CFScript.txt and saved it to the desktop where ComboFix was. When I dragged the txt file into the ComboFix file, Combofix loaded and a warning came up telling me I should download a fresh copy of combofix from Bleepingcomputer. So I deleted the comboFix file that was on the desktop and downloadwd a fresh copy to the Desktop. Then I dragged the CFScript.txt into the new copy. The green bars loading ComboFix came up and the blue combofix box (with a C:\) came up and inside the box it said 'SWSC' is not recognized as an internal command, operable program, or batch file. With a blinking cursor at the beginning of the next line.
I let the box sit there for a while and nothing changed, so I closed it.
Did I screw something up?

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:26 AM

Posted 11 April 2010 - 07:24 PM

Hello,

Lets uninstall Combofix and redownload it and try that script again.

Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


2.
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2


We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

File::
c:\windows\System32\var
c:\windows\wdskctl.exe
c:\windows\System32\zwebauth.dll
c:\windows\SYSTEM32\DRIVERS\ethbupjn.sys
c:\program files\Toolbar\TBPSSvc.exe

Folder::
c:\program files\Toolbar

DDS::
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Nita Fuller\Start Menu\Programs\IMVU\Run IMVU.lnk

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var NN4=d.layers?"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"} el"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var strT"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var strP"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"var d=docum"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"if(!NN"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"function redirec"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<nofra"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<META HTTP-EQUIV=Pragma CONTENT=no-cac"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffff"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<body bgcolor=#ffffff text=#0000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"#search"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"#relatedsear"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wdskctl"=-

Driver::
ethbupjn
TBPSSvc


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 godawgs

godawgs
  • Topic Starter

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 11 April 2010 - 08:57 PM

fireman4it
Thanks for the reply. I knew I screwed something up. I have left her computer for the day, so it will be tomorrow before I can get back there. I assume you still want the Eset.log and a new DDs.txt. And the machine is running pretty close to normal as far as I can tell, except for all the crap that's still listed in the Start-up tab of msconfig. And the Sysem32 folder that every time any use logs on.

While you are waiting for me to get those.....Your revelation about the nature of the consequences regarding the backdoor virus found on her computer brings up a VERY important question concerning my desktop at home. When I first started trying to help her, I was having to download the programs needed to find the problem to my computer, burn them to a cd and then take that to her computer to copy the files onto her computer and run them. I used that cd twice. Once for the original burn, and once for a subsequent burn. After running those programs and getting the original 3 logs required for posting, I burned the logs to a clean cd on her computer and brought it back to my computer to post them. That was the only time that I used that cd. My question is....is there any possibility that those actions infected my computer? My desktop system is Windows XPHome 32 bit SP3 fully updated. AV program updated daily, firewall, Malwarebytes, Spybot S&D, Spywareblaster ect;.
I really need this question answered.
Thanks
godawgs

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:26 AM

Posted 11 April 2010 - 09:27 PM

Hello,
QUOTE
While you are waiting for me to get those.....Your revelation about the nature of the consequences regarding the backdoor virus found on her computer brings up a VERY important question concerning my desktop at home. When I first started trying to help her, I was having to download the programs needed to find the problem to my computer, burn them to a cd and then take that to her computer to copy the files onto her computer and run them. I used that cd twice. Once for the original burn, and once for a subsequent burn. After running those programs and getting the original 3 logs required for posting, I burned the logs to a clean cd on her computer and brought it back to my computer to post them. That was the only time that I used that cd. My question is....is there any possibility that those actions infected my computer? My desktop system is Windows XPHome 32 bit SP3 fully updated. AV program updated daily, firewall, Malwarebytes, Spybot S&D, Spywareblaster ect;.
I really need this question answered.


I really doubt it since you where only downloading logs or .txt files to the cd from the infected computer to yours.
Now if you downloaded files from the infected machine to yours such as Jpeg,jpg,.exe,.scr something like that,then yes you may have infected yourself.


Yes please run all tools and post all logs previously requested.

Edited by fireman4it, 11 April 2010 - 09:28 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 godawgs

godawgs
  • Topic Starter

  • Security Colleague
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 12 April 2010 - 03:11 PM

fireman4it,

Here are the latest logs you requested.

ComboFix.TXT

ComboFix 10-04-12.01 - System Admin 04/12/2010 13:05:47.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.273 [GMT -4:00]
Running from: c:\documents and settings\System Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\System Admin\Desktop\CFScript.txt


FILE ::
"c:\program files\Toolbar\TBPSSvc.exe"
"c:\windows\SYSTEM32\DRIVERS\ethbupjn.sys"
"c:\windows\System32\var"
"c:\windows\System32\zwebauth.dll"
"c:\windows\wdskctl.exe"
.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


c:\program files\Dynamic Toolbar
c:\windows\SYSTEM32\DRIVERS\ethbupjn.sys
c:\windows\System32\zwebauth.dll
c:\windows\wdskctl.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.


-------\Legacy_TBPSSVC
-------\Service_ethbupjn
-------\Service_TBPSSvc



((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.


2010-04-11 18:29 . 2010-04-11 18:29 -------- d-----w- c:\windows\system32\KB905474
2010-04-11 18:29 . 2009-03-11 02:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-04-11 18:29 . 2009-03-11 02:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-04-11 18:21 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-10 23:42 . 2010-04-11 16:43 -------- d-----w- c:\documents and settings\System Admin\Local Settings\Application Data\Google
2010-04-10 20:00 . 2010-04-10 20:00 -------- d-----w- c:\documents and settings\System Admin\Application Data\Malwarebytes
2010-04-09 02:34 . 2010-04-09 02:34 -------- d-----w- c:\documents and settings\System Admin\Local Settings\Application Data\Help
2010-04-04 22:49 . 2010-04-04 22:49 -------- d-----w- c:\documents and settings\Larry Fuller\Application Data\Malwarebytes
2010-04-04 21:08 . 2010-04-04 21:08 -------- d-----w- c:\documents and settings\Nick Fuller\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\Nita Fuller_2\Application Data\Malwarebytes
2010-04-04 16:30 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:30 . 2010-04-04 23:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:30 . 2010-04-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 16:30 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 16:12 . 2010-04-04 16:12 -------- d-----w- c:\documents and settings\Nita Fuller_2\Application Data\Corel
2010-04-03 23:15 . 2004-08-04 04:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-04-03 23:15 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-04-03 23:15 . 2001-08-18 02:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-04-03 23:15 . 2001-08-18 02:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-04-03 23:15 . 2001-08-18 02:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-04-03 23:15 . 2001-08-18 02:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-04-03 23:15 . 2001-08-17 16:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-04-03 23:15 . 2004-08-04 04:56 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-04-03 23:13 . 2004-08-04 03:08 25600 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-04-03 23:12 . 2002-08-29 10:00 101376 ----a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-04-03 23:11 . 2001-08-17 18:56 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2010-04-03 23:10 . 2001-08-18 02:36 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll
2010-04-03 23:09 . 2001-08-17 18:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2010-04-03 23:08 . 2001-08-17 16:19 48768 ----a-w- c:\windows\system32\dllcache\maestro.sys
2010-04-03 23:07 . 2001-08-17 17:47 13056 ----a-w- c:\windows\system32\dllcache\inport.sys
2010-04-03 23:06 . 2001-08-18 02:36 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2010-04-03 23:05 . 2001-08-17 17:50 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys
2010-04-03 23:04 . 2001-08-18 02:36 27648 ----a-w- c:\windows\system32\dllcache\cyyports.dll
2010-04-03 23:03 . 2001-08-18 02:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2010-04-03 23:02 . 2002-08-29 10:00 9216 ----a-w- c:\windows\system32\dllcache\authfilt.dll
2010-04-03 23:01 . 2002-08-29 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2010-04-03 23:01 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-04-03 23:01 . 2002-08-29 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-04-03 23:01 . 2002-08-29 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-04-03 23:01 . 2002-08-29 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-04-03 23:01 . 2002-08-29 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-04-03 23:01 . 2002-08-29 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-04-03 23:01 . 2002-08-29 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 20:11 . 2006-06-27 13:01 -------- d-----w- c:\program files\Shockwave.com
2010-04-11 18:22 . 2010-04-11 18:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-11 18:22 . 2010-04-11 18:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-10 23:45 . 2003-12-16 22:01 -------- d-----w- c:\program files\Google
2010-04-05 00:10 . 2007-07-22 19:31 -------- d-----w- c:\program files\Nick Arcade
2010-03-27 22:17 . 2008-01-06 14:37 -------- d-----w- c:\program files\MySpace
2010-03-11 12:38 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-09-03 22:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2006-03-25 23:10 . 2006-03-25 23:10 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-03-16 00:43 . 2006-03-26 23:54 4286 ----a-w- c:\program files\wrench.ico
2006-03-15 20:46 . 2006-03-26 23:54 4286 ----a-w- c:\program files\GameFly.ico
2006-01-24 20:40 . 2006-03-26 23:54 3262 ----a-w- c:\program files\jamster.ico
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<META HTTP-EQUIV=Pragma CONTENT=no-cac"="c:\windows\System32\<META HTTP-EQUIV=Pragma CONTENT=no-cache>" [X]
"<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffff"="c:\windows\System32\<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffffff>" [X]
"<body bgcolor=#ffffff text=#0000"="c:\windows\System32\<body bgcolor=#ffffff text=#000000>" [X]
""="top.location.replace(strTemp);" [X]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-09-19 294912]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-14 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 86102]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]


c:\documents and settings\Larry Fuller\Start Menu\Programs\Startup\
Remote Assistance.lnk - c:\windows\SYSTEM32\rcimlby.exe [2002-8-29 35840]


c:\documents and settings\Nick Fuller\Start Menu\Programs\Startup\
Remote Assistance.lnk - c:\windows\SYSTEM32\rcimlby.exe [2002-8-29 35840]


c:\documents and settings\All Users\Start Menu\Programs\Startup\
Motorola Wireless USB Adapter.lnk - c:\program files\Motorola Wireless\WU830G USB Adapter 1\Startup.EXE [2006-2-2 24576]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\Program Files\\Motorola Wireless\\WU830G USB Adapter 1\\WLUSBCfg.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\SYSTEM32\DRIVERS\wind502u.sys [2/2/2006 2:08 AM 336256]
.
Contents of the 'Scheduled Tasks' folder


2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]


2003-10-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 04:56]


2010-04-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-11 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = hxxp://localhost;
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Nita Fuller\Start Menu\Programs\IMVU\Run IMVU.lnk
.


**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 13:16
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????? ??????????????????????????????w????????????j??w????x???x??????????????


scanning hidden files ...

scan completed successfully
hidden files: 0


**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"document.write ('<iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\" src=\"
http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]\"></iframe>');"
"document.write('<ilayer width=\"720\" height=\"300\" left=\"0\" top=\"0\" visibility=\"SHOW\" src=\"
http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]\"></ilayer>');"
"<title>beneditutti.com</title><meta name=\"keywords\" content=\"beneditutti.com\"><meta name=\"description\" content=\"Search the web at beneditutti.com\"><meta name=\"robots\" content=\"INDEX, FOLLOW\"><meta name=\"revisit-after\" content=\"10\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859"=expand:"c:\\WINDOWS\\System32\\<title>beneditutti.com</title><meta name=\"keywords\" content=\"beneditutti.com\"><meta name=\"description\" content=\"Search the web at beneditutti.com\"><meta name=\"robots\" content=\"INDEX, FOLLOW\"><meta name=\"revisit-after\" content=\"10\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">"
"<script language=\"javascript\" type=\"text/javascri"="c:\\WINDOWS\\System32\\<script language=\"javascript\" type=\"text/javascript\">"
"<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cac"="c:\\WINDOWS\\System32\\<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
"<frame src=\"
http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=o"="c:\\WINDOWS\\System32\\<frame src=\"http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off\">"
"<body leftmargin=\"0\" topmargin=\"0\" marginwidth=\"0\" marginheight=\"0\" bgcolor=\"#ffff"="c:\\WINDOWS\\System32\\<body leftmargin=\"0\" topmargin=\"0\" marginwidth=\"0\" marginheight=\"0\" bgcolor=\"#ffffff\">"
"<body bgcolor=\"#ffffff\" text=\"#0000"="c:\\WINDOWS\\System32\\<body bgcolor=\"#ffffff\" text=\"#000000\">"
" top.location.replace(strTe"="c:\\WINDOWS\\System32\\\09top.location.replace(strTemp);"
.
--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Motorola Wireless\WU830G USB Adapter 1\OdHost.exe
c:\program files\Motorola Wireless\WU830G USB Adapter 1\WLUSBCfg.exe
.
**************************************************************************
.
Completion time: 2010-04-12 13:22:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 17:22


Pre-Run: 59,377,459,200 bytes free
Post-Run: 59,318,915,072 bytes free

ESETscan.TXT

C:\Documents and Settings\Nick Fuller\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-23a5260f.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Nick Fuller\Desktop\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined
C:\Documents and Settings\Nick Fuller\My Documents\Monopoly3Setup-dm.exe Win32/Adware.Trymedia application cleaned by deleting - quarantined
C:\Documents and Settings\Nick Fuller\My Documents\My Music\BearShareV6.exe a variant of Win32/Adware.Softomate.AE application deleted - quarantined
C:\Documents and Settings\Nick Fuller\My Documents\My Music\sinstaller2.exe Win32/Adware.Comet application deleted - quarantined
C:\Downloads\granny_paradiseSetup-dm[1].exe Win32/Adware.Trymedia application cleaned by deleting - quarantined
C:\Downloads\Monopoly3Setup-dm[1].exe Win32/Adware.Trymedia application cleaned by deleting - quarantined
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe multiple threats deleted - quarantined
C:\Program Files\Common Files\fozi\fozip.exe Win32/Adware.Xupiter application cleaned by deleting - quarantined
C:\Program Files\Common Files\fozi\fozid\vocabulary Win32/TrojanDownloader.TSUpdate.J trojan cleaned by deleting - quarantined
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70.tmp Win32/TrojanDownloader.Dyfica.DU trojan cleaned by deleting - quarantined
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp a variant of Win32/TrojanDownloader.IstBar trojan cleaned by deleting - quarantined
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp Win32/Uploader.R application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\[4]-Submit_2010-04-12_13.05.36.zip a variant of Win32/SpamTool.Rlsloup.B trojan deleted - quarantined
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0003291.exe Win32/Adware.WBug.A application deleted - quarantined
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0003292.exe Win32/Adware.Trymedia application cleaned by deleting - quarantined
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0003293.exe Win32/Adware.Trymedia application cleaned by deleting - quarantined
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0003294.exe Win32/Adware.Xupiter application cleaned by deleting - quarantined
C:\WINDOWS\5l8pns1v.exe a variant of Win32/Adware.SAHAgent application cleaned by deleting - quarantined
C:\WINDOWS\nnbumigp.dll Win32/TrojanDownloader.Skoob.C trojan cleaned by deleting - quarantined
C:\WINDOWS\SMS-Stadt-sst-11958.exe a variant of Win32/Dialer.StarDialer application cleaned by deleting - quarantined
C:\WINDOWS\ssupreme.exe Win32/Adware.MegaSearch application deleted - quarantined
C:\WINDOWS\SYSTEM32\DrPMon.dll_tobedeleted probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\gaaifc8d.exe a variant of Win32/Adware.SAHAgent application cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\imkcsief.dll Win32/Adware.SAHAgent application cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\ormrsbdj.dll Win32/Golid.A trojan cleaned by deleting - quarantined


- - End Of File - - 174E6A218500AE53597D1F5985FDB3D8

DDS.TXT


DDS (Ver_10-03-17.01) - NTFSx86
Run by System Admin at 15:49:31.25 on Mon 04/12/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.252 [GMT -4:00]



============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter 1\OdHost.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter 1\WLUSBCfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\System Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = hxxp://localhost;
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve....iframe>');
mRun: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve....ilayer>');
mRun: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\windows\system32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [<title>advertisement</ti] c:\windows\system32\<title>advertisement</title>
mRun: [<script language="javascript" type="text/javascri] c:\windows\system32\<script language="javascript" type="text/javascript">
mRun: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\windows\system32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
mRun: [<frame src="http://searchportal.information.com/?a_id=...p;adultfilter=o] c:\windows\system32\<frame src="http://searchportal.information.com/?a_id=...adultfilter=off">
mRun: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\windows\system32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
mRun: [<body bgcolor="#ffffff" text="#0000] c:\windows\system32\<body bgcolor="#ffffff" text="#000000">
mRun: [</scr] c:\windows\system32\</script>
mRun: [</nofra] c:\windows\system32\</noframes>
mRun: [</h] c:\windows\system32\</html>
mRun: [</frame] c:\windows\system32\</frameset>
mRun: [</b] c:\windows\system32\</body>
mRun: [// Browser Detec] c:\windows\system32\// Browser Detection
mRun: [ top.location.replace(strTe REG_SZ ] top.location.replace(strTemp);
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\motoro~1.lnk - c:\program files\motorola wireless\wu830g usb adapter 1\Startup.EXE
mPolicies-explorer: <NO NAME> =
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\nita fuller\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1094246790546
DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - hxxp://www.streamaudio.com/download/ccpm_0237.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.55.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/shpo/default/shapo.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab34035.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [2006-2-2 336256]

============== File Associations ===============

.txt=RapidCSS.Document

=============== Created Last 30 ================

2010-04-12 17:36:14 0 d-----w- c:\program files\ESET
2010-04-12 17:27:05 0 d-----w- c:\program files\Dynamic Toolbar
2010-04-12 17:04:15 98816 ----a-w- c:\windows\sed.exe
2010-04-12 17:04:15 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 17:04:15 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 17:04:15 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 17:04:09 0 d-----w- C:\ComboFix
2010-04-11 18:29:03 0 d-----w- c:\windows\system32\KB905474
2010-04-11 18:22:08 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-11 18:22:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-11 18:21:25 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-11 17:05:55 0 d-sha-r- C:\cmdcons
2010-04-10 20:00:29 0 d-----w- c:\docume~1\system~1\applic~1\Malwarebytes
2010-04-04 16:30:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:30:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 16:30:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:30:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-03 23:15:26 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-04-03 23:15:26 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-04-03 23:15:25 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-04-03 23:15:25 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-04-03 23:15:22 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-04-03 23:15:07 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-04-03 23:15:06 28288 ----a-w- c:\windows\system32\dllcache\xjis.nls
2010-04-03 23:15:05 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-04-03 23:15:00 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-04-03 23:13:59 25600 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-04-03 23:12:59 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
2010-04-03 23:11:59 75392 ----a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-04-03 23:10:59 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll
2010-04-03 23:09:59 52255 ----a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-04-03 23:08:59 48768 ----a-w- c:\windows\system32\dllcache\maestro.sys
2010-04-03 23:07:59 13056 ----a-w- c:\windows\system32\dllcache\inport.sys
2010-04-03 23:06:59 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2010-04-03 23:05:59 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys
2010-04-03 23:04:59 50176 ----a-w- c:\windows\system32\dllcache\cyyport.sys
2010-04-03 23:03:59 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2010-04-03 23:02:57 9216 ----a-w- c:\windows\system32\dllcache\authfilt.dll
2010-04-03 23:01:42 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2010-04-03 23:01:31 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-04-03 23:01:08 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-04-03 23:01:08 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-04-03 23:01:07 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-04-03 23:01:06 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-04-03 23:01:06 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-04-03 23:01:06 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-04-03 23:00:52 94720 ----a-w- c:\windows\system32\dllcache\certmap.ocx

==================== Find3M ====================

2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2006-03-25 23:10:04 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-03-16 00:43:14 4286 ----a-w- c:\program files\wrench.ico
2006-03-15 20:46:06 4286 ----a-w- c:\program files\GameFly.ico
2006-01-24 20:40:58 3262 ----a-w- c:\program files\jamster.ico

============= FINISH: 15:50:17.68 ===============

Let me know what's next.
Thanks.



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:26 AM

Posted 12 April 2010 - 06:46 PM

Hello,

1.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

4.
I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

5.
Please download the self-extracting version of HijackThis from here:

HijackThis Installer Download

Save HJTInstall.exe to your desktop.

Double-click the file then click the Install button.

The file will be extracted to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
A shortcut for future use will also be created on your desktop and the Intro Frame of HijackThis will open.

Click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.

Please use the shortcut to run the extracted HijackThis.exe from now on.

Things to include in your next reply:
MBAM log
Bitdefender log
HiJackThis log
A new DDS log
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users