Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD, Kloob, now limited internet: XP Pro SP3


  • This topic is locked This topic is locked
9 replies to this topic

#1 JamesMacF

JamesMacF

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 20 April 2010 - 11:08 AM

I've been working on this computer for a couple of days now, and here is where I stand:
Win XP Pro SP3
initial complaint: BSOD on log in. message something about IRP STACK. stop code of 0x0000000035 (not sure on # of 0's, but did end in 35).
I discovered this only happened when the network cable was plugged in, so unplugged it and was able to log in. Ran anitvirus (Vipre Enterprise) and came across some Trojan, but not Kloob... was able to clean that. Still BSOD when cable was plugged in. Had an older version of MalwareBytes and a current version of SpywareBlaster (4.3) and SpybotS&D (1.6.2) on a thumbdrive, so installed them (sort of... SpybotS&D wouldn't install because it couldn't download the files needed for installation). MBAM found Worm.Koobface and cleaned it on reboot.
We had issues with Vipre on another system, so I deleted that off this system, and lo and behold I no longer get the BSOD. I have Avira Rescue CD and scanned with that and found Kloob. It couldn't clean it, but was able to manually clean the infected files by deleting the IE Temporary Internet Files and turning off System Restore (which is still off). After that it was coming up clean.
BUT... I still can not go to certain websites, such as safer-networking or malwarebytes, but I can get to mozilla, google, and msn. Tried the XP TCP repair, but that didn't work. That makes me think there is still something left over (or something else entirely) in the system, and that brings me here.
I am attaching the DDS and GMER files as instructed in the Prep Guide.
Thanks for any and all help.
James



DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 11:26:07.90 on Tue 04/20/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1648 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k termsv
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: TruePass CAPI 8,0,030,417 - hxxps://tplogin.loweslink.com/TruePassSampleApp/servlets/AppletDownloadServlet/entrusttruepassapplet-capi.cab
DPF: TruePass CAPI 8,0,030,624 - hxxps://tplogin.loweslink.com/TruePassSampleApp/servlets/AppletDownloadServlet/entrusttruepassapplet-capi.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271704391668
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://hunterdouglas.webex.com/client/T27L/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\n01f7wdz.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 afwoko;ICM Web USB Echo WIBU-SYSTEMS Usermode and SSL Asychronous;c:\windows\system32\drivers\okomoh.sys [2008-3-5 32768]
R2 dpti3o;Hook E-mail WebCheckChannelAgent Search;c:\windows\system32\svchost.exe -k termsv [2002-9-3 14336]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKDiscovery.exe [2009-1-19 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\aio\center\KodakSvc.exe [2009-1-19 38296]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2010-04-20 13:56:05 0 d-----w- c:\program files\XP TCPIP Repair
2010-04-19 19:23:01 0 d-----w- c:\windows\system32\Cache
2010-04-19 19:17:46 0 d-----w- C:\Inetpub
2010-04-19 18:10:41 0 d-----w- c:\program files\SpywareBlaster
2010-04-19 17:45:55 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 17:45:54 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 17:45:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 16:36:40 932 ----a-w- c:\windows\system32\AgentSettings.xml
2010-04-13 13:09:22 0 ----a-w- c:\windows\fs1235.dat
2010-04-13 13:06:50 1 ---h--w- c:\windows\bk23567.dat
2010-04-13 13:06:50 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-04-09 15:13:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-04-09 15:12:34 0 d-----w- c:\program files\MSECache
2010-04-09 15:11:06 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-04-09 14:59:32 221184 ----a-w- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 11:26:38.95 ===============

Attached Files


Edited by JamesMacF, 20 April 2010 - 11:19 AM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:57 PM

Posted 25 April 2010 - 01:58 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 JamesMacF

JamesMacF
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 April 2010 - 08:14 AM

Thank you Blade.. yes I am still here.
I have run a lot of different scanners/tools on this system. I have a lot of the problem resolved, but would like to make sure we have it all, or at least as much as possible. But first things first...
We are deploying a new A/V solution throughout our network. This particular unit was at a remote location, so I did not have anything to do with that aspect of it. A day or so later, the user was complaining about getting error messages and not being able to log on. So I had the unit sent up to me. It would boot up fine as long as there was no network connected...if connected it would BSOD with some message about an IRP STACK and Stop Code of 0x0000000035 (see original post for more detail on this). I was able to get Spyware Blaster and and older version of MBAM loaded on it with a thumbdrive so I scanned it with those and got a hit on Koobface and some other Trojans or Worms. I have an antivirus recovery disc from Avira(?) that I also ran on it, and it cleaned up some of this stuff also.
Anyways, the system now will boot up with the network attached, but I don't have any a/v on it, and while the scans are coming up clean, I am not wholly sure of it yet... so am leaving it unattached for the moment.

>>>>>>>

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 8:55:42.15 on Mon 04/26/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1543 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\IBM\Client Access\cwbckver.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: TruePass CAPI 8,0,030,417 - hxxps://tplogin.loweslink.com/TruePassSampleApp/servlets/AppletDownloadServlet/entrusttruepassapplet-capi.cab
DPF: TruePass CAPI 8,0,030,624 - hxxps://tplogin.loweslink.com/TruePassSampleApp/servlets/AppletDownloadServlet/entrusttruepassapplet-capi.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271704391668
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://hunterdouglas.webex.com/client/T27L/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\n01f7wdz.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKDiscovery.exe [2009-1-19 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\aio\center\KodakSvc.exe [2009-1-19 38296]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2010-04-22 16:16:44 98816 ----a-w- c:\windows\sed.exe
2010-04-22 16:16:44 77312 ----a-w- c:\windows\MBR.exe
2010-04-22 16:16:44 261632 ----a-w- c:\windows\PEV.exe
2010-04-22 16:16:44 161792 ----a-w- c:\windows\SWREG.exe
2010-04-20 13:56:05 0 d-----w- c:\program files\XP TCPIP Repair
2010-04-19 19:17:46 0 d-----w- C:\Inetpub
2010-04-19 18:10:41 0 d-----w- c:\program files\SpywareBlaster
2010-04-19 17:45:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 17:45:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 17:45:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 16:36:40 932 ----a-w- c:\windows\system32\AgentSettings.xml
2010-04-09 15:13:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-04-09 15:12:34 0 d-----w- c:\program files\MSECache
2010-04-09 15:11:06 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-04-09 14:59:32 221184 ----a-w- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 8:56:29.50 ===============

>>>>>>>>>

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/22/2007 3:20:20 PM
System Uptime: 4/26/2010 8:49:18 AM (0 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 153 GiB total, 147.375 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/22/2010 12:16:49 PM - System Checkpoint
RP2: 4/23/2010 12:21:25 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
aiofw
aioprnt
aioscnnr
Bonjour
C4USelfUpdater
center
Compatibility Pack for the 2007 Office system
Dell Resource CD
Hotfix for Windows XP (KB952287)
IBM iSeries Access for Windows
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Java Auto Updater
Java™ 6 Update 19
KODAK All-in-One Printer Software
ksDIP
Lexmark Printer Software Uninstall
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft SQL Server Desktop Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.6.3)
PreReq
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Sentinel Protection Installer 7.1.1
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SpywareBlaster 4.3
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XP TCP/IP Repair

==== Event Viewer Messages From Past Week ========

4/23/2010 5:21:45 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
4/22/2010 5:18:16 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D851F103-8C90-4321-AFF0-58BA5BD421C2} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
4/22/2010 12:27:00 PM, error: PlugPlayManager [11] - The device Root\LEGACY_AFWOKO\0000 disappeared from the system without first being prepared for removal.
4/22/2010 1:06:33 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
4/19/2010 3:15:05 PM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
4/19/2010 3:12:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
4/19/2010 2:48:14 PM, error: NETLOGON [5719] - No Domain Controller is available for domain VP due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
4/19/2010 2:40:57 PM, error: System Error [1003] - Error code 00000035, parameter1 8a057008, parameter2 00000000, parameter3 00000000, parameter4 00000000.
4/19/2010 2:21:31 PM, error: System Error [1003] - Error code 00000035, parameter1 89bcfa28, parameter2 00000000, parameter3 00000000, parameter4 00000000.
4/19/2010 11:37:20 AM, error: System Error [1003] - Error code 00000035, parameter1 89c81410, parameter2 00000000, parameter3 00000000, parameter4 00000000.
4/19/2010 11:23:49 AM, error: System Error [1003] - Error code 00000035, parameter1 89de5230, parameter2 00000000, parameter3 00000000, parameter4 00000000.
4/19/2010 1:16:09 PM, error: System Error [1003] - Error code 00000035, parameter1 88e4c8f0, parameter2 00000000, parameter3 00000000, parameter4 00000000.

==== End Of File ===========================


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:57 PM

Posted 27 April 2010 - 12:11 PM

Hello JamesMacF

Let's run a couple more scans and see if anything pops up.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
~Blade


In your next reply, please include the following:
SUPERAntiSpyware log

Edited by Blade Zephon, 27 April 2010 - 12:12 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 JamesMacF

JamesMacF
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 27 April 2010 - 02:29 PM

Blade,

As I am 'administrator' on this computer, I had to create a user account to run the scan under. While doing this, I came across an account on here under Local Users named 'IUSR_SRQWKS011' (SRQWKS011 is the computer name) with a full name of 'Internet Guest Account' and description of 'Built-in account for anonymous access to Internet Information Services'. I haven't seen this account on any other machine here, and have never personally heard of it... is there any valid reason it should be on this computer or at a minimum should I at least disable it?

Now for your log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2010 at 03:20 PM

Application Version : 4.35.1002

Core Rules Database Version : 4856
Trace Rules Database Version: 2668

Scan type : Complete Scan
Total Scan Time : 00:38:53

Memory items scanned : 149
Memory threats detected : 0
Registry items scanned : 5132
Registry threats detected : 0
File items scanned : 21002
File threats detected : 0

>>>>>

James

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:57 PM

Posted 28 April 2010 - 06:14 PM

Hello JamesMacF:

My apologies. . . the instructions regarding the administrator account was pointed at users who do not make regular use of the account (as is usually the case). If this account is the one normally used, then please do log in using it. You will need to run the scan again under this account. Sorry for the confusion.

Additionally:

Please download and run HAMeb_check.exe. It will produce a log; please include it in your next reply.

~Blade


In your next reply, please include the following:
HAMeb_check.exe log
SAS log from normal user account.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 JamesMacF

JamesMacF
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 29 April 2010 - 09:26 AM

Blade,
The 'regular' user is a domain account, and that account can't log into safe mode. I do have the password to that account, so I can log into it on a regular boot if need be. But usually I am 'administrator' on this computer, and all others here, both in a local sense and a domain sense. And yes, I do have a regular user account on 'my' computer that I normally use day-to-day smile.gif

Now for the logs:

>>>>>

C:\Documents and Settings\administrator\Desktop\HAMeb_check.exe
Thu 04/29/2010 at 9:03:35.48

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

>>>>>

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/29/2010 at 10:07 AM

Application Version : 4.35.1002

Core Rules Database Version : 4856
Trace Rules Database Version: 2668

Scan type : Complete Scan
Total Scan Time : 00:55:19

Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 5135
Registry threats detected : 0
File items scanned : 31726
File threats detected : 167

Adware.Tracking Cookie
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@22squaredlfg.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@247realmedia[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@2o7[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@a1.interclick[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@account.alltel[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ad.wsod[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ad.yieldmanager[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adbrite[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adecn[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adinterax[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adlegend[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adopt.euroclick[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adopt.specificclick[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.addynamix[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.associatedcontent[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.bridgetrack[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.cnn[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.lucidmedia[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.monster[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.pointroll[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.scrapbook[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.shutterfly[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.undertone[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ads.wheresgeorge[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adserver.adtechus[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adserving.contextualmarketplace[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@adtech[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@advertising.sheknows[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@americanheart.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@andomedia[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@at.atwola[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@azjmp[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@bannerfountain[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@banners.battleon[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@bizrate[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@bs.serving-sys[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@cabsbanner348[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@cb.adbureau[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@cdn4.specificclick[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@chacha.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@chitika[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@classmates.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@collective-media[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@content.yieldmanager[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@counter.surfcounters[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@d.mediaforceads[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@dc.tremormedia[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@dmtracker[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wbl4wodpcbq.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wfk4clcpolo.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wfk4kgcjwgo.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wfkyqidjabq.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wfliugajafo.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wfloaoc5obo.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wgk4knd5gap.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wgkiwldjcko.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6whlowgcjwlq.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wjk4sodzclo.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wjkoqgcjodq.stats.esomniture[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wjkyoncjcko.stats.esomniture[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wjliwjajeho.stats.esomniture[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wjlyspd5mfo.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wjmywgczmkq.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wmliwgdpeep.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@e-2dj6wnloeocjodp.stats.esomniture[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@eas.apm.emediate[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@edge.ru4[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@eharmony.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@electronicarts.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@euroclick[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@experianservicescorp.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@extrovert.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@eyewonder[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@gad.adclick.co[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@giftscom.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@iacas.adbureau[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@idgenterprise.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@insightexpressai[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@interclick[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@invitemedia[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@jibjab.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@kanoodle[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@kontera[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@lfstmedia[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@lockedonmedia[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@lowestpricetrafficschool[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@manateecountyjobs[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@media-general[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@media.curtco[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@media.expedia[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@media.sensis.com[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@media6degrees[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@mediageneral[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@meetupcom.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@microsoftwlcashback.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@msnbc.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@msnportal.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@myaccount.verizonwireless[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@myroitracking[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@myweather.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@nextag[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@northwestairlines.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@oddcast[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@olympus.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@overture[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@parentingteens.about[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@peoplefinders[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@perf.overture[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@pluckit.demandmedia[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@pointroll[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@printtracking.fedex[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@pro-market[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@questionmarket[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@questionpro[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@realmedia[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@revsci[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@rotator.adjuggler[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@ru4[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@s.clickability[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@sales.liveperson[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@server.iad.liveperson[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@serving-sys[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@shopping.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@sitestat.mayoclinic[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@snapfish.112.2o7[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@sojern.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@specificclick[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@specificmedia[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@stat.dealtime[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@stat.onestat[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@stats.adbrite[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@statsadv.dada[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@stpetersburgtimes.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@superpages.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@tacoda[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@tag.adknowledge[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@track-trace[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@trackalyzer[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@tracking.admarketplace[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@tracking.keywordmax[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@trafficmp[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@transunioninteractive.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@traveladvertising[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@travidia.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@tribalfusion[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@tripod[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@triviacountry[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@trvlnet.adbureau[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@usatoday1.112.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@wandascountryhome[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@wastemanagement.122.2o7[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@web4.realtracker[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@windowsmedia[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.burstbeacon[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.clickmanage[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.directnetadvertising[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.epitrack[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.peoplefinders[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.track-trace[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.tracklead[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@www.visitor-track[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@xiti[1].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@yieldmanager[2].txt
C:\Documents and Settings\jane.fultz\Cookies\jane.fultz@zillow.adbureau[2].txt
>>>>>

James

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:57 PM

Posted 30 April 2010 - 08:45 AM

Hi James.

Sorry for the delay; finals are this week >.<

All SAS found were tracking cookies, which isn't anything to be worried about, and the other scan I had you run came back clean. I don't see any evidence of further infection here. How's the machine running?

~Blade

Edited by Blade Zephon, 30 April 2010 - 08:45 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 JamesMacF

JamesMacF
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 30 April 2010 - 09:00 AM

Blade,

Let's go ahead and close this ticket. Like I said in my first reply, I thought I had finally gotten it, and was mostly wanting some confirmation of that.

I will go ahead and hook it back up to the network and get everything that needs updating updated. I have the system until Monday anyway... will see how it runs over the weekend and go from there.

Thanks so much for your help.

James

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:57 PM

Posted 30 April 2010 - 09:15 AM

It's my pleasure

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users