popups etc. from Trojan & CWS + more

valdezorbust · 06-09-2008, 01:18 PM

When I tried to use Panda Active Scan 2.0 it would never run. Finally on my last try it ran. When I checked it today there was no option to disinfect. When I try to attach the report it fails.

After I ran Zoned out it had failures.

I could not update windows. Automatic updates is disabled but B.I.T.S., and Event log remain "automatic".

When I fix Auto update and refresh the windows update page Automatic updates is disabled again.

I have service pack 2 for XP.

I have a pic on my desktop that says a spyware threat has beeen detected on my pc. Been is spelled beeen.

Spysweeper is still finding things when I am offline.

When I check the quarantine it has trojan and CWS as the highest ranked infections.

The PC is slow and I get lots of popups telling me I have problems with spyware.

I have a popup advertising anti spyware software that uses Internet Explorer when I am offline

Deckard's System Scanner v20071014.68
Run by Jason on 2008-06-09 13:47:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-09 13:47:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Documents and Settings\Jason\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/advanced_search?hl=en
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: gooochi browser optimizer - {100e949f-811d-1f61-32d1-ee4d1e4cec42} - C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll
O2 - BHO: mysidesearch browser optimizer - {49ab2649-3d07-131d-b912-fe863ead1d5a} - C:\WINDOWS\system32\{b228c613-f9dd-294f-e366-f7443b79c023}.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {63A15705-4E5E-45F3-837C-88777FA1C5AC} - C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll (file missing)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {7861DC4C-9DED-4A28-9328-AB9DA6DE292F} - C:\WINDOWS\system32\urqNGwTK.dll (file missing)
O2 - BHO: (no name) - {A1E716C4-D172-4FCB-9C66-21BEF1DD2D44} - C:\WINDOWS\system32\xxyvsRKc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DIGServices] "C:\Program Files\ESPNRunTime\DIGServices.exe" /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{5215c6cd-7eb1-c7b8-c973-9dd56cbc867e}] "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll" DllStart
O4 - HKLM\..\Run: [74d12944] "rundll32.exe" "C:\WINDOWS\system32\ewrnfpuj.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cmds] "rundll32.exe" C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll,c
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2008\SpyEmergency.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntnkdm.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: xxyvsRKc - C:\WINDOWS\system32\xxyvsRKc.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\system32
O23 - Service: Iomega App Services - Iomega Corporation - C:\Program Files\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxct_device - Unknown owner - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 13585 bytes

-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-08 21:15:24 0 d-------- C:\Program Files\SpywareBlaster
2008-06-08 17:07:19 0 d-------- C:\Program Files\Panda Security
2008-06-08 17:03:46 113664 --a------ C:\WINDOWS\system32\fnoffibg.dll
2008-06-08 17:00:42 101376 --a------ C:\WINDOWS\system32\ewrnfpuj.dll
2008-06-08 01:47:21 0 d-------- C:\ie-spyad_zo
2008-06-07 15:58:37 111616 --a------ C:\WINDOWS\system32\lvgddmfn.dll
2008-06-07 00:27:09 200774 --a------ C:\WINDOWS\system32\mcntnkdn.exe
2008-06-07 00:25:21 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\Webroot
2008-06-07 00:22:06 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-07 00:21:41 0 d-------- C:\Program Files\Webroot
2008-06-07 00:21:41 0 d-------- C:\Documents and Settings\Jason\Application Data\Webroot
2008-06-07 00:21:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-07 00:20:05 164 --a------ C:\install.dat
2008-06-06 23:50:12 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-06-06 23:49:58 298311 --a------ C:\WINDOWS\system32\gside.exe
2008-06-06 23:37:25 0 d-------- C:\Documents and Settings\Jason\Application Data\com.zipeg
2008-06-06 23:19:36 40 --a------ C:\WINDOWS\sremcon.dat
2008-06-06 23:17:45 0 d-------- C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA
2008-06-06 20:05:09 0 d-------- C:\Documents and Settings\Jason\Application Data\Spy Emergency
2008-06-06 19:57:17 24064 --a------ C:\WINDOWS\x.exe
2008-06-06 19:57:17 17664 --a------ C:\WINDOWS\waol.exe
2008-06-06 19:57:16 11264 --a------ C:\WINDOWS\svcinit.exe
2008-06-06 19:57:16 12544 --a------ C:\WINDOWS\sistem.exe
2008-06-06 19:57:16 8960 --a------ C:\WINDOWS\rundll16.exe
2008-06-06 19:57:16 30976 --a------ C:\WINDOWS\quicken.exe
2008-06-06 19:57:15 29440 --a------ C:\WINDOWS\qttasks.exe
2008-06-06 19:57:14 31744 --a------ C:\WINDOWS\olehelp.exe
2008-06-06 19:57:14 20992 --a------ C:\WINDOWS\notepad32.exe
2008-06-06 19:57:13 30720 --a------ C:\WINDOWS\mssys.exe
2008-06-06 19:57:13 11264 --a------ C:\WINDOWS\msconfd.dll
2008-06-06 19:57:12 10496 --a------ C:\WINDOWS\internet.exe
2008-06-06 19:57:12 18176 --a------ C:\WINDOWS\iexplorer.exe
2008-06-06 19:57:12 24832 --a------ C:\WINDOWS\iedll.exe
2008-06-06 19:57:12 26880 --a------ C:\WINDOWS\explore.exe
2008-06-06 19:57:11 20224 --a------ C:\WINDOWS\editpad.exe
2008-06-06 19:57:10 30208 --a------ C:\WINDOWS\avpcc.dll
2008-06-06 18:59:19 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency
2008-06-06 18:59:00 0 d-------- C:\Documents and Settings\All Users\Application Data\NETGATE
2008-06-06 18:48:43 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\com.zipeg
2008-06-06 18

02 0 d-------- C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)
2008-06-06 17:58:21 0 d-------- C:\WINDOWS\system32\1449
2008-06-06 17:58:15 55808 --a------ C:\WINDOWS\portsv.exe
2008-06-06 17:28:08 49176 --a------ C:\WINDOWS\system32\jmwnw64s.exe <Not Verified; ; Browser Driver>
2008-06-06 17

10 0 d-------- C:\Documents and Settings\LocalService\Application Data\ESPN
2008-06-06 16:44:37 23808 --a------ C:\WINDOWS\y.exe
2008-06-06 16:44:37 24832 --a------ C:\WINDOWS\xplugin.dll
2008-06-06 16:44:36 31232 --a------ C:\WINDOWS\winmgnt.exe
2008-06-06 16:44:35 15104 --a------ C:\WINDOWS\window.exe
2008-06-06 16:44:35 23552 --a------ C:\WINDOWS\winajbm.dll
2008-06-06 16:44:35 30976 --a------ C:\WINDOWS\win64.exe
2008-06-06 16:44:35 24832 --a------ C:\WINDOWS\win32e.exe
2008-06-06 16:44:34 11520 --a------ C:\WINDOWS\users32.exe
2008-06-06 16:44:34 12544 --a------ C:\WINDOWS\time.exe
2008-06-06 16:44:34 18944 --a------ C:\WINDOWS\systemcritical.exe
2008-06-06 16:44:34 20480 --a------ C:\WINDOWS\systeem.exe
2008-06-06 16:44:33 26624 --a------ C:\WINDOWS\svchost32.exe
2008-06-06 16:44:33 9216 --a------ C:\WINDOWS\searchword.dll
2008-06-06 16:44:32 12800 --a------ C:\WINDOWS\mswsc20.dll
2008-06-06 16:44:32 17152 --a------ C:\WINDOWS\mswsc10.dll
2008-06-06 16:44:31 24576 --a------ C:\WINDOWS\msupdate.exe
2008-06-06 16:44:31 19968 --a------ C:\WINDOWS\msspi.dll
2008-06-06 16:44:31 22272 --a------ C:\WINDOWS\loader.exe
2008-06-06 16:44:30 8704 --a------ C:\WINDOWS\inetinf.exe
2008-06-06 16:44:30 13824 --a------ C:\WINDOWS\helpcvs.exe
2008-06-06 16:44:30 29696 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-06 16:44:30 22272 --a------ C:\WINDOWS\funny.exe
2008-06-06 16:44:29 13056 --a------ C:\WINDOWS\funniest.exe
2008-06-06 16:44:29 19456 --a------ C:\WINDOWS\explorer32.exe
2008-06-06 16:44:29 13568 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-06 16:44:29 25344 --a------ C:\WINDOWS\directx32.exe
2008-06-06 16:44:28 17920 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-06 16:44:28 21504 --a------ C:\WINDOWS\cpan.dll
2008-06-06 16:44:28 28416 --a------ C:\WINDOWS\clrssn.exe
2008-06-06 16:44:27 12288 --a------ C:\WINDOWS\accesss.exe
2008-06-06 16:33:45 15214 --ahs---- C:\WINDOWS\system32\KTwGNqru.ini2
2008-06-06 16:32:04 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-06-06 16:30:10 135168 --a------ C:\WINDOWS\TEK76.exe
2008-06-06 16:30:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-06 16:30:01 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-06 16:29:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-06 16:29:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-06 16:29:04 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-06 16:29:04 401972 --a------ C:\WINDOWS\system32\g41.exe
2008-06-06 16:29:02 0 d--hs---- C:\WINDOWS\Um9iZXJ0IERpeG9u
2008-06-06 16:29:00 87513 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media>
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\xrem
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\NMP
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\inet2
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\expo
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\btz
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\105772
2008-06-06 16:28:41 0 d-------- C:\WINDOWS\system32\vntiho18
2008-06-06 16:28:41 0 d-------- C:\Temp
2008-06-04 16:39:24 0 d-------- C:\Documents and Settings\Jason\Application Data\Sonic
2008-06-02 18:38:29 0 d-------- C:\Documents and Settings\Jason\Incomplete
2008-06-02 18:37:32 0 d-------- C:\Documents and Settings\Jason\Application Data\LimeWire
2008-05-27 08:39:38 371200 --a------ C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll
2008-05-21 09:53:31 0 d-------- C:\Program Files\Audacity
2008-05-21 00:42:41 0 d-------- C:\Program Files\iPod
2008-05-20 21:58:07 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\LimeWire
2008-05-19 08:55:20 439808 --a------ C:\WINDOWS\system32\{b228c613-f9dd-294f-e366-f7443b79c023}.dll

-- Find3M Report ---------------------------------------------------------------

2008-06-09 13:29:32 0 d-------- C:\Program Files\Lx_cats
2008-06-08 20:54:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-08 01:35:22 0 d-------- C:\Program Files\WildTangent
2008-06-02 18:23:10 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-21 00:49:21 0 d-------- C:\Program Files\Apple Software Update
2008-05-21 00:43:33 0 d-------- C:\Program Files\iTunes
2008-05-21 00:40:20 0 d-------- C:\Program Files\QuickTime
2008-04-21 18:46:20 0 d-------- C:\Program Files\Norton 360
2008-04-14 13:08:45 0 d-------- C:\Program Files\DeductionPro 2007
2008-04-14 10:37:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-14 10:28:42 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-14 10:28:42 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-04-14 10:28:40 0 d-------- C:\Program Files\PDF995
2008-04-14 10:28:07 0 d-------- C:\Program Files\TaxCut06
2008-04-14 10:27:48 0 d-------- C:\Program Files\TaxCut07

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100e949f-811d-1f61-32d1-ee4d1e4cec42}]
05/27/2008 08:39 AM 371200 --a------ C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49ab2649-3d07-131d-b912-fe863ead1d5a}]
05/19/2008 08:55 AM 439808 --a------ C:\WINDOWS\system32\{b228c613-f9dd-294f-e366-f7443b79c023}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63A15705-4E5E-45F3-837C-88777FA1C5AC}]
C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7861DC4C-9DED-4A28-9328-AB9DA6DE292F}]
C:\WINDOWS\system32\urqNGwTK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1E716C4-D172-4FCB-9C66-21BEF1DD2D44}]
C:\WINDOWS\system32\xxyvsRKc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 02:01 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 08:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 08:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 08:50 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 03:12 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 10:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 10:44 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 05:20 AM]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [07/14/2006 10:47 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [10/04/2006 04:32 PM]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [11/22/2006 04:11 AM]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [11/22/2006 04:12 AM]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [11/22/2006 04:11 AM]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [11/21/2006 07:27 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 04:16 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" []
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{5215c6cd-7eb1-c7b8-c973-9dd56cbc867e}"="C:\WINDOWS\System32\Rundll32.exe" [08/10/2004 05:00 AM]
"74d12944"="rundll32.exe" [08/10/2004 05:00 AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/10/2007 10:35 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"cmds"="rundll32.exe" [08/10/2004 05:00 AM C:\WINDOWS\system32\rundll32.exe]
"SpyEmergency"="C:\Program Files\Spy Emergency 2008\SpyEmergency.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A1E716C4-D172-4FCB-9C66-21BEF1DD2D44}"= C:\WINDOWS\system32\xxyvsRKc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsRKc]
xxyvsRKc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

-- End of Deckard's System Scanner: finished at 2008-06-09 13:48:34 ------------

valdezorbust · 06-12-2008, 03:24 PM

CWS_Cassandra, Virtumonde etc. plus many cookies are in quarantine by Spysweeper.

I will try again to attach the Panda scan. DSS never gave me an extra.txt so I can not attach it.

Upload of Activescan failed twice. Main.txt is attached.

Automatic updates for Windows has returned to automatic status.

When I restart the computer I have a message box that says:

"Error loading C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll

The specified module could not be found"

tetonbob · 06-12-2008, 08:51 PM

What sort of error message do you get when you try to attach the Panda log? Is it a size limitation? If so, try to zip it first, then attach it.

========================

Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

valdezorbust · 06-12-2008, 10:59 PM

I don't have an unzip program. Is there a free one?

tetonbob · 06-12-2008, 11:23 PM

You have Windows XP.

It has a zip function built in.

http://www.bleepingcomputer.com/tuto...torial105.html

To create a ZIP file:

Right click on a file, folder, or selection of files and click on the Send To menu option and then choose Compressed (zipped) Folder. The image below shows the location of these menu items:

After selecting the Compressed (zipped) Folder menu option, the files will be zipped and you should now see a file that ends with .ZIP. The files name will be the name of the folder or file you compressed. If you compressed a selection of files, it will be the name of the first file in that selection.

valdezorbust · 06-12-2008, 11:47 PM

A - ha!

I got it attached.

tetonbob · 06-13-2008, 07:32 AM

Good job!

Please also run the instructions for new Deckard's System Scanner logs.

valdezorbust · 06-13-2008, 04:00 PM

I have tried at least 5 times and I only get main.txt. Nothing is minimized. Do you want the new main.txt?

tetonbob · 06-13-2008, 06:02 PM

Are you running DSS exactly as I have instructed? Or are you just double clicking on it to run it?

valdezorbust · 06-13-2008, 06:31 PM

Deckard's System Scanner v20071014.68
Run by Jason on 2008-06-13 19:26:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-06-14 00:26:17 UTC - RP1 - System Checkpoint

Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis (run as Jason.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:33 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason\desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Jason.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: gooochi browser optimizer - {100e949f-811d-1f61-32d1-ee4d1e4cec42} - C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {63A15705-4E5E-45F3-837C-88777FA1C5AC} - C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll (file missing)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {7861DC4C-9DED-4A28-9328-AB9DA6DE292F} - C:\WINDOWS\system32\urqNGwTK.dll (file missing)
O2 - BHO: (no name) - {A1E716C4-D172-4FCB-9C66-21BEF1DD2D44} - C:\WINDOWS\system32\xxyvsRKc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DIGServices] "C:\Program Files\ESPNRunTime\DIGServices.exe" /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [74d12944] "rundll32.exe" "C:\WINDOWS\system32\ewrnfpuj.dll",b
O4 - HKLM\..\Run: [{5215c6cd-7eb1-c7b8-c973-9dd56cbc867e}] "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll" DllStart
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cmds] "rundll32.exe" C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll,c
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2008\SpyEmergency.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntnkdm.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O20 - Winlogon Notify: xxyvsRKc - xxyvsRKc.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12212 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Iomega Disk Filter Driver>

S1 fipss - c:\windows\system32\drivers\fipss.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>

S4 Iomega Activity Disk2 - ""

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1556)
2008-06-08 17:00:44 101376 --a------ C:\WINDOWS\system32\ewrnfpuj.dll

C:\WINDOWS\system32\rundll32.exe (pid 200)
2008-06-08 17:00:44 101376 --a------ C:\WINDOWS\system32\ewrnfpuj.dll

C:\WINDOWS\system32\rundll32.exe (pid 212)
2008-05-27 08:39:38 371200 --a------ C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll
2008-06-08 17:00:44 101376 --a------ C:\WINDOWS\system32\ewrnfpuj.dll

-- Scheduled Tasks -------------------------------------------------------------

2008-06-13 06:00:06 1650 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L38E9B5FB0FE04D43A21B5B4CD28F2388.job
2008-06-13 06:00:05 1660 --a------ C:\WINDOWS\Tasks\wrSpySweeper_LDE18B0D720A147F6AA8A9CF1FF09988C.job
2008-06-13 06:00:00 1648 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L8941024205E247B198CE21A4D473D968.job
2008-06-12 12:03:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-13 00:37:58 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-10 00:36:25 0 d-------- C:\Documents and Settings\Haley Dixon\Application Data\Webroot
2008-06-08 21:15:24 0 d-------- C:\Program Files\SpywareBlaster
2008-06-08 17:07:19 0 d-------- C:\Program Files\Panda Security
2008-06-08 17:03:46 113664 --a------ C:\WINDOWS\system32\fnoffibg.dll
2008-06-08 17:00:42 101376 --a------ C:\WINDOWS\system32\ewrnfpuj.dll
2008-06-08 01:47:21 0 d-------- C:\ie-spyad_zo
2008-06-07 15:58:37 111616 --a------ C:\WINDOWS\system32\lvgddmfn.dll
2008-06-07 00:27:09 200774 --a------ C:\WINDOWS\system32\mcntnkdn.exe
2008-06-07 00:25:21 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\Webroot
2008-06-07 00:22:06 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-07 00:21:41 0 d-------- C:\Program Files\Webroot
2008-06-07 00:21:41 0 d-------- C:\Documents and Settings\Jason\Application Data\Webroot
2008-06-07 00:21:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-07 00:20:05 164 --a------ C:\install.dat
2008-06-06 23:49:58 298311 --a------ C:\WINDOWS\system32\gside.exe
2008-06-06 23:37:25 0 d-------- C:\Documents and Settings\Jason\Application Data\com.zipeg
2008-06-06 23:19:36 40 --a------ C:\WINDOWS\sremcon.dat
2008-06-06 23:17:45 0 d-------- C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA
2008-06-06 20:05:09 0 d-------- C:\Documents and Settings\Jason\Application Data\Spy Emergency
2008-06-06 19:57:17 24064 --a------ C:\WINDOWS\x.exe
2008-06-06 19:57:17 17664 --a------ C:\WINDOWS\waol.exe
2008-06-06 19:57:16 11264 --a------ C:\WINDOWS\svcinit.exe
2008-06-06 19:57:16 12544 --a------ C:\WINDOWS\sistem.exe
2008-06-06 19:57:16 8960 --a------ C:\WINDOWS\rundll16.exe
2008-06-06 19:57:16 30976 --a------ C:\WINDOWS\quicken.exe
2008-06-06 19:57:15 29440 --a------ C:\WINDOWS\qttasks.exe
2008-06-06 19:57:14 31744 --a------ C:\WINDOWS\olehelp.exe
2008-06-06 19:57:14 20992 --a------ C:\WINDOWS\notepad32.exe
2008-06-06 19:57:13 30720 --a------ C:\WINDOWS\mssys.exe
2008-06-06 19:57:13 11264 --a------ C:\WINDOWS\msconfd.dll
2008-06-06 19:57:12 10496 --a------ C:\WINDOWS\internet.exe
2008-06-06 19:57:12 18176 --a------ C:\WINDOWS\iexplorer.exe
2008-06-06 19:57:12 24832 --a------ C:\WINDOWS\iedll.exe
2008-06-06 19:57:12 26880 --a------ C:\WINDOWS\explore.exe
2008-06-06 19:57:11 20224 --a------ C:\WINDOWS\editpad.exe
2008-06-06 19:57:10 30208 --a------ C:\WINDOWS\avpcc.dll
2008-06-06 18:59:19 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency
2008-06-06 18:59:00 0 d-------- C:\Documents and Settings\All Users\Application Data\NETGATE
2008-06-06 18:48:43 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\com.zipeg
2008-06-06 18

02 0 d-------- C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)
2008-06-06 17:58:21 0 d-------- C:\WINDOWS\system32\1449
2008-06-06 17:58:15 55808 --a------ C:\WINDOWS\portsv.exe
2008-06-06 17:28:08 49176 --a------ C:\WINDOWS\system32\jmwnw64s.exe <Not Verified; ; Browser Driver>
2008-06-06 17

10 0 d-------- C:\Documents and Settings\LocalService\Application Data\ESPN
2008-06-06 16:44:37 23808 --a------ C:\WINDOWS\y.exe
2008-06-06 16:44:37 24832 --a------ C:\WINDOWS\xplugin.dll
2008-06-06 16:44:36 31232 --a------ C:\WINDOWS\winmgnt.exe
2008-06-06 16:44:35 15104 --a------ C:\WINDOWS\window.exe
2008-06-06 16:44:35 23552 --a------ C:\WINDOWS\winajbm.dll
2008-06-06 16:44:35 30976 --a------ C:\WINDOWS\win64.exe
2008-06-06 16:44:35 24832 --a------ C:\WINDOWS\win32e.exe
2008-06-06 16:44:34 11520 --a------ C:\WINDOWS\users32.exe
2008-06-06 16:44:34 12544 --a------ C:\WINDOWS\time.exe
2008-06-06 16:44:34 18944 --a------ C:\WINDOWS\systemcritical.exe
2008-06-06 16:44:34 20480 --a------ C:\WINDOWS\systeem.exe
2008-06-06 16:44:33 26624 --a------ C:\WINDOWS\svchost32.exe
2008-06-06 16:44:33 9216 --a------ C:\WINDOWS\searchword.dll
2008-06-06 16:44:32 12800 --a------ C:\WINDOWS\mswsc20.dll
2008-06-06 16:44:32 17152 --a------ C:\WINDOWS\mswsc10.dll
2008-06-06 16:44:31 24576 --a------ C:\WINDOWS\msupdate.exe
2008-06-06 16:44:31 19968 --a------ C:\WINDOWS\msspi.dll
2008-06-06 16:44:31 22272 --a------ C:\WINDOWS\loader.exe
2008-06-06 16:44:30 8704 --a------ C:\WINDOWS\inetinf.exe
2008-06-06 16:44:30 13824 --a------ C:\WINDOWS\helpcvs.exe
2008-06-06 16:44:30 29696 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-06 16:44:30 22272 --a------ C:\WINDOWS\funny.exe
2008-06-06 16:44:29 13056 --a------ C:\WINDOWS\funniest.exe
2008-06-06 16:44:29 19456 --a------ C:\WINDOWS\explorer32.exe
2008-06-06 16:44:29 13568 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-06 16:44:29 25344 --a------ C:\WINDOWS\directx32.exe
2008-06-06 16:44:28 17920 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-06 16:44:28 21504 --a------ C:\WINDOWS\cpan.dll
2008-06-06 16:44:28 28416 --a------ C:\WINDOWS\clrssn.exe
2008-06-06 16:44:27 12288 --a------ C:\WINDOWS\accesss.exe
2008-06-06 16:33:45 15214 --ahs---- C:\WINDOWS\system32\KTwGNqru.ini2
2008-06-06 16:32:04 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-06-06 16:30:10 135168 --a------ C:\WINDOWS\TEK76.exe
2008-06-06 16:30:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-06 16:30:01 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-06 16:29:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-06 16:29:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-06 16:29:04 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-06 16:29:04 401972 --a------ C:\WINDOWS\system32\g41.exe
2008-06-06 16:29:02 0 d--hs---- C:\WINDOWS\Um9iZXJ0IERpeG9u
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\xrem
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\NMP
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\inet2
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\expo
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\btz
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\105772
2008-06-06 16:28:41 0 d-------- C:\WINDOWS\system32\vntiho18
2008-06-06 16:28:41 0 d-------- C:\Temp
2008-06-04 16:39:24 0 d-------- C:\Documents and Settings\Jason\Application Data\Sonic
2008-06-02 18:38:29 0 d-------- C:\Documents and Settings\Jason\Incomplete
2008-06-02 18:37:32 0 d-------- C:\Documents and Settings\Jason\Application Data\LimeWire
2008-05-27 08:39:38 371200 --a------ C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll
2008-05-21 09:53:31 0 d-------- C:\Program Files\Audacity
2008-05-21 00:42:41 0 d-------- C:\Program Files\iPod
2008-05-20 21:58:07 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\LimeWire

-- Find3M Report ---------------------------------------------------------------

2008-06-13 16:23:22 0 d-------- C:\Program Files\Lx_cats
2008-06-11 20:08:15 0 d-------- C:\Program Files\Yahoo!
2008-06-08 20:54:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-08 01:35:22 0 d-------- C:\Program Files\WildTangent
2008-06-02 18:23:10 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-21 00:49:21 0 d-------- C:\Program Files\Apple Software Update
2008-05-21 00:43:33 0 d-------- C:\Program Files\iTunes
2008-05-21 00:40:20 0 d-------- C:\Program Files\QuickTime
2008-04-21 18:46:20 0 d-------- C:\Program Files\Norton 360
2008-04-14 13:08:45 0 d-------- C:\Program Files\DeductionPro 2007
2008-04-14 10:37:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-14 10:28:42 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-14 10:28:42 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-04-14 10:28:40 0 d-------- C:\Program Files\PDF995
2008-04-14 10:28:07 0 d-------- C:\Program Files\TaxCut06
2008-04-14 10:27:48 0 d-------- C:\Program Files\TaxCut07

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100e949f-811d-1f61-32d1-ee4d1e4cec42}]
05/27/2008 08:39 AM 371200 --a------ C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63A15705-4E5E-45F3-837C-88777FA1C5AC}]
C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7861DC4C-9DED-4A28-9328-AB9DA6DE292F}]
C:\WINDOWS\system32\urqNGwTK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1E716C4-D172-4FCB-9C66-21BEF1DD2D44}]
C:\WINDOWS\system32\xxyvsRKc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 02:01 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 08:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 08:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 08:50 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 03:12 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 10:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 10:44 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 05:20 AM]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [07/14/2006 10:47 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [10/04/2006 04:32 PM]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [11/22/2006 04:11 AM]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [11/22/2006 04:12 AM]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [11/22/2006 04:11 AM]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [11/21/2006 07:27 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 04:16 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" []
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"74d12944"="rundll32.exe" [08/10/2004 05:00 AM C:\WINDOWS\system32\rundll32.exe]
"{5215c6cd-7eb1-c7b8-c973-9dd56cbc867e}"="C:\WINDOWS\System32\Rundll32.exe" [08/10/2004 05:00 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/10/2007 10:35 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"cmds"="rundll32.exe" [08/10/2004 05:00 AM C:\WINDOWS\system32\rundll32.exe]
"SpyEmergency"="C:\Program Files\Spy Emergency 2008\SpyEmergency.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A1E716C4-D172-4FCB-9C66-21BEF1DD2D44}"= C:\WINDOWS\system32\xxyvsRKc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsRKc]
xxyvsRKc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

-- End of Deckard's System Scanner: finished at 2008-06-13 19:29:15 ------------

tetonbob · 06-13-2008, 06:38 PM

That's more like it, let's see what we can do about cleaning this mess.

One or more of the identified infections steal information. That includes all passwords, log ins to forums and your email details & other websites and most of all your Bank, Credit card or Paypal details. If this system is used for web based email, online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. It also seems to be able to steal all your emails so anything you have emailed to anybody is no longer confidential.

I suggest that you read this article too.

---------------------------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) We'll use this later.

---------------------------------------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix (C:\ComboFix.txt) at the end of this fix.

---------------------------------------------------------------------------------------------

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder (C:\SDFix) and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post that log in your next reply.

---------------------------------------------------------------------------------------------

Run DSS once again, and post it's log, main.txt

---------------------------------------------------------------------------------------------

Please post the logs from:

ComboFix (C:\ComboFix.txt)
SDFix (C:\SDFix\report.txt)
DSS (main.txt)

If you have any questions along the way, STOP and ask them before proceeding.

valdezorbust · 06-13-2008, 07:20 PM

I think I get most of it but this is a little unclear for me:

Post the log from ComboFix (C:\ComboFix.txt) at the end of this fix.

tetonbob · 06-13-2008, 07:23 PM

When you are done with all the instructions in this fix, post that log along with the other two requested logs, rather than stopping to post just the ComboFix log. Some folks will stop and post each log as it's done.

valdezorbust · 06-14-2008, 12:30 AM

Well thats neat. Now I have a nice green meadow and blue sky for a desktop wallpaper.

Here is all three scans

ComboFix 08-06-12.2 - Jason 2008-06-13 23:24:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.171 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Haley Dixon\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Jason\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Robert Dixon\Start Menu\Programs\Startup\Deewoo.lnk
C:\WINDOWS\Fonts\'
C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll
C:\WINDOWS\system32\ckhhpxet.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ewrnfpuj.dll
C:\WINDOWS\system32\fnoffibg.dll
C:\WINDOWS\system32\g41.exe
C:\WINDOWS\system32\iksmivkr.ini
C:\WINDOWS\system32\jupfnrwe.ini
C:\WINDOWS\system32\KTwGNqru.ini
C:\WINDOWS\system32\KTwGNqru.ini2
C:\WINDOWS\system32\lvgddmfn.dll
C:\WINDOWS\system32\mcntnkdn.exe
.
---- Previous Run -------
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-13 20:59 . 2008-06-14 01:37 <DIR> d-------- C:\SDFix
2008-06-13 00:37 . 2008-06-13 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-11 03:05 . 2008-06-11 03:05 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-10 22:32 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 22:32 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:36 . 2008-06-10 00:36 <DIR> d-------- C:\Documents and Settings\Haley Dixon\Application Data\Webroot
2008-06-09 00:43 . 2008-06-09 00:43 <DIR> d-------- C:\Deckard
2008-06-08 21:15 . 2008-06-08 21:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-08 17:07 . 2008-06-08 21:29 <DIR> d-------- C:\Program Files\Panda Security
2008-06-08 01:47 . 2008-06-08 01:47 <DIR> d-------- C:\ie-spyad_zo
2008-06-07 00:25 . 2008-06-07 00:25 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\Webroot
2008-06-07 00:22 . 2008-06-07 00:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-07 00:22 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-06-07 00:22 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-06-07 00:22 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-06-07 00:22 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Program Files\Webroot
2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Webroot
2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-07 00:21 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-06-07 00:20 . 2008-06-07 00:20 164 --a------ C:\install.dat
2008-06-06 23:37 . 2008-06-06 23:37 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\com.zipeg
2008-06-06 23:19 . 2008-06-06 23:19 224,946 --a------ C:\SpyEmergency.dmp
2008-06-06 23:19 . 2008-06-06 23:19 40 --a------ C:\WINDOWS\sremcon.dat
2008-06-06 23:17 . 2008-06-06 23:17 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA
2008-06-06 20:05 . 2008-06-06 23:26 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Spy Emergency
2008-06-06 18:59 . 2008-06-06 23:34 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency
2008-06-06 18:59 . 2008-06-06 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NETGATE
2008-06-06 18:48 . 2008-06-06 19:48 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\com.zipeg
2008-06-06 18:06 . 2008-06-06 18:06 <DIR> d-------- C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)
2008-06-06 17:58 . 2008-06-06 18:39 <DIR> d-------- C:\WINDOWS\system32\1449
2008-06-06 17:28 . 2008-06-06 17:28 49,176 --a------ C:\WINDOWS\system32\jmwnw64s.exe
2008-06-06 17:10 . 2008-06-06 17:10 667,844 --a------ C:\Spymaxx [wyzo].zip
2008-06-06 17:06 . 2008-06-06 17:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ESPN
2008-06-06 16:32 . 2008-06-06 16:32 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-06-06 16:30 . 2008-06-06 16:31 135,168 --a------ C:\WINDOWS\TEK76.exe
2008-06-06 16:29 . 2008-06-06 19:59 <DIR> d--hs---- C:\WINDOWS\Um9iZXJ0IERpeG9u
2008-06-06 16:29 . 2008-06-06 16:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-06 16:29 . 2008-06-06 16:30 63,918 --a------ C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll-uninst.exe
2008-06-06 16:28 . 2008-06-06 16:28 <DIR> d-------- C:\WINDOWS\system32\xrem
2008-06-06 16:28 . 2008-06-06 16:28 <DIR> d-------- C:\WINDOWS\system32\vntiho18
2008-06-06 16:28 . 2008-06-06 16:28 <DIR> d-------- C:\WINDOWS\system32\NMP
2008-06-06 16:28 . 2008-06-07 02:19 <DIR> d-------- C:\WINDOWS\system32\inet2
2008-06-06 16:28 . 2008-06-06 19:56 <DIR> d-------- C:\WINDOWS\system32\expo
2008-06-06 16:28 . 2008-06-06 19:55 <DIR> d-------- C:\WINDOWS\system32\btz
2008-06-06 16:28 . 2008-06-07 02:19 <DIR> d-------- C:\WINDOWS\system32\105772
2008-06-06 16:28 . 2008-06-13 23:18 <DIR> d-------- C:\Temp
2008-06-04 16:39 . 2008-06-04 16:39 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Sonic
2008-06-02 18:38 . 2008-06-02 18:47 <DIR> d-------- C:\Documents and Settings\Jason\Incomplete
2008-06-02 18:37 . 2008-06-02 18:47 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\LimeWire
2008-05-21 09:53 . 2008-05-21 09:53 <DIR> d-------- C:\Program Files\Audacity
2008-05-21 00:42 . 2008-05-21 00:42 <DIR> d-------- C:\Program Files\iPod
2008-05-20 21:58 . 2008-06-06 19:08 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\LimeWire
2008-05-20 16:13 . 2008-05-20 16:13 32,768 --a------ C:\WINDOWS\system32\vntiho18\vntiho182328.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 04:37 --------- d-----w C:\Program Files\Lx_cats
2008-06-12 01:08 --------- d-----w C:\Program Files\Yahoo!
2008-06-10 05:36 --------- d--h--r C:\Documents and Settings\Haley Dixon\Application Data\yahoo!
2008-06-09 01:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-08 06:35 --------- d-----w C:\Program Files\WildTangent
2008-06-02 23:23 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-21 05:49 --------- d-----w C:\Program Files\Apple Software Update
2008-05-21 05:43 --------- d-----w C:\Program Files\iTunes
2008-05-21 05:40 --------- d-----w C:\Program Files\QuickTime
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-21 23:46 --------- d-----w C:\Program Files\Norton 360
2008-04-14 18:08 --------- d-----w C:\Program Files\DeductionPro 2007
2008-04-14 15:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 15:28 --------- d-----w C:\Program Files\TaxCut06
2008-04-14 15:28 --------- d-----w C:\Program Files\PDF995
2008-04-14 15:28 --------- d-----w C:\Documents and Settings\Robert Dixon\Application Data\TaxCut
2008-04-14 15:27 --------- d-----w C:\Program Files\TaxCut07
2008-04-14 15:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut
2007-08-26 06:39 92,064 ----a-w C:\Documents and Settings\Robert Dixon\mqdmmdm.sys
2007-08-26 06:39 9,232 ----a-w C:\Documents and Settings\Robert Dixon\mqdmmdfl.sys
2007-08-26 06:39 79,328 ----a-w C:\Documents and Settings\Robert Dixon\mqdmserd.sys
2007-08-26 06:39 66,656 ----a-w C:\Documents and Settings\Robert Dixon\mqdmbus.sys
2007-08-26 06:39 6,208 ----a-w C:\Documents and Settings\Robert Dixon\mqdmcmnt.sys
2007-08-26 06:39 5,936 ----a-w C:\Documents and Settings\Robert Dixon\mqdmwhnt.sys
2007-08-26 06:39 4,048 ----a-w C:\Documents and Settings\Robert Dixon\mqdmcr.sys
2007-08-26 06:39 25,600 ----a-w C:\Documents and Settings\Robert Dixon\usbsermptxp.sys
2007-08-26 06:39 22,768 ----a-w C:\Documents and Settings\Robert Dixon\usbsermpt.sys
2006-10-04 22:50 88 --sh--r C:\WINDOWS\system32\93E8019154.sys
2006-10-04 22:50 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63A15705-4E5E-45F3-837C-88777FA1C5AC}]
C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7861DC4C-9DED-4A28-9328-AB9DA6DE292F}]
C:\WINDOWS\system32\urqNGwTK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 22:35 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"SpyEmergency"="C:\Program Files\Spy Emergency 2008\SpyEmergency.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2006-07-14 10:47 106496]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-10-04 16:32 26112]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 04:11 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 04:12 304048]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2006-11-22 04:11 82864]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 07:27 106496]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" [ ]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-23 19:03:59 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-04-28 11:20:00 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsRKc]
xxyvsRKc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\lxctcoms.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S1 fipss;fipss;C:\WINDOWS\system32\drivers\fipss.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 17:03:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-13 11:00:06 C:\WINDOWS\Tasks\wrSpySweeper_L38E9B5FB0FE04D43A21B5B4CD28F2388.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L38E9B5FB0FE04D43A21B5B4CD28F2388
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-06-13 11:00:00 C:\WINDOWS\Tasks\wrSpySweeper_L8941024205E247B198CE21A4D473D968.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L8941024205E247B198CE21A4D473D968
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-06-13 11:00:05 C:\WINDOWS\Tasks\wrSpySweeper_LDE18B0D720A147F6AA8A9CF1FF09988C.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LDE18B0D720A147F6AA8A9CF1FF09988C
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- D:\,E:\,G:
- C:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 23:36:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehRec.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-13 23:41:31 - machine was rebooted [Jason]
ComboFix-quarantined-files.txt 2008-06-14 04:41:19

Pre-Run: 31,947,378,688 bytes free
Post-Run: 35,730,903,040 bytes free

316 --- E O F --- 2008-06-11 08

22

SDFix: Version 1.192
Run by Jason on Sat 06/14/2008 at 12:23 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\vntiho18\vntiho182328.exe - Deleted

Folder C:\WINDOWS\system32\vntiho18 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 01:17:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\lxctcoms.exe"="C:\\WINDOWS\\system32\\lxctcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 25 May 2006 209 A.SHR --- "C:\BOOT.BAK"
Wed 4 Oct 2006 88 ..SHR --- "C:\WINDOWS\system32\93E8019154.sys"
Wed 4 Oct 2006 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 30 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 24 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT8.tmp"
Fri 7 Mar 2008 30,208 ...H. --- "C:\Documents and Settings\Robert Dixon\Application Data\Microsoft\Word\~WRL2902.tmp"
Mon 7 Apr 2008 30,208 ...H. --- "C:\Documents and Settings\Robert Dixon\Application Data\Microsoft\Word\~WRL3054.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Robert Dixon\Application Data\U3\temp\Launchpad Removal.exe"
Thu 8 Feb 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Haley Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Haley Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Haley Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Haley Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 4 Oct 2007 8 A..H. --- "C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 4 Oct 2007 8 A..H. --- "C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 4 Oct 2007 8 A..H. --- "C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 4 Oct 2007 8 A..H. --- "C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robert Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robert Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robert Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robert Dixon\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

Deckard's System Scanner v20071014.68
Run by Jason on 2008-06-14 01:26:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis (run as Jason.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:23 AM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Jason\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Jason.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {63A15705-4E5E-45F3-837C-88777FA1C5AC} - C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll (file missing)
O2 - BHO: (no name) - {7861DC4C-9DED-4A28-9328-AB9DA6DE292F} - C:\WINDOWS\system32\urqNGwTK.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DIGServices] "C:\Program Files\ESPNRunTime\DIGServices.exe" /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2008\SpyEmergency.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O20 - Winlogon Notify: xxyvsRKc - xxyvsRKc.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10666 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 00:19:07 0 d-------- C:\WINDOWS\ERUNT
2008-06-14 00

11 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-13 23:11:18 68096 --a------ C:\WINDOWS\zip.exe
2008-06-13 23:11:18 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-13 23:11:18 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-13 23:11:18 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-13 23:11:18 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-13 23:11:18 98816 --a------ C:\WINDOWS\sed.exe
2008-06-13 23:11:18 80412 --a------ C:\WINDOWS\grep.exe
2008-06-13 23:11:18 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-13 21:14:13 0 dr-hs---- C:\cmdcons
2008-06-13 21:14:12 0 d-------- C:\WINDOWS\setup.pss
2008-06-13 21:13:34 0 d-------- C:\WINDOWS\setupupd
2008-06-13 00:37:58 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-10 00:36:25 0 d-------- C:\Documents and Settings\Haley Dixon\Application Data\Webroot
2008-06-08 21:15:24 0 d-------- C:\Program Files\SpywareBlaster
2008-06-08 17:07:19 0 d-------- C:\Program Files\Panda Security
2008-06-08 01:47:21 0 d-------- C:\ie-spyad_zo
2008-06-07 00:25:21 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\Webroot
2008-06-07 00:22:06 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-07 00:21:41 0 d-------- C:\Program Files\Webroot
2008-06-07 00:21:41 0 d-------- C:\Documents and Settings\Jason\Application Data\Webroot
2008-06-07 00:21:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-07 00:20:05 164 --a------ C:\install.dat
2008-06-06 23:37:25 0 d-------- C:\Documents and Settings\Jason\Application Data\com.zipeg
2008-06-06 23:19:36 40 --a------ C:\WINDOWS\sremcon.dat
2008-06-06 23:17:45 0 d-------- C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA
2008-06-06 20:05:09 0 d-------- C:\Documents and Settings\Jason\Application Data\Spy Emergency
2008-06-06 18:59:19 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency
2008-06-06 18:59:00 0 d-------- C:\Documents and Settings\All Users\Application Data\NETGATE
2008-06-06 18:48:43 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\com.zipeg
2008-06-06 18

02 0 d-------- C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)
2008-06-06 17:58:21 0 d-------- C:\WINDOWS\system32\1449
2008-06-06 17:28:08 49176 --a------ C:\WINDOWS\system32\jmwnw64s.exe <Not Verified; ; Browser Driver>
2008-06-06 17

10 0 d-------- C:\Documents and Settings\LocalService\Application Data\ESPN
2008-06-06 16:32:04 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-06-06 16:30:10 135168 --a------ C:\WINDOWS\TEK76.exe
2008-06-06 16:30:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-06 16:29:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-06 16:29:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-06 16:29:02 0 d--hs---- C:\WINDOWS\Um9iZXJ0IERpeG9u
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\xrem
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\NMP
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\inet2
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\expo
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\btz
2008-06-06 16:28:49 0 d-------- C:\WINDOWS\system32\105772
2008-06-06 16:28:41 0 d-------- C:\Temp
2008-06-04 16:39:24 0 d-------- C:\Documents and Settings\Jason\Application Data\Sonic
2008-06-02 18:38:29 0 d-------- C:\Documents and Settings\Jason\Incomplete
2008-06-02 18:37:32 0 d-------- C:\Documents and Settings\Jason\Application Data\LimeWire
2008-05-21 09:53:31 0 d-------- C:\Program Files\Audacity
2008-05-21 00:42:41 0 d-------- C:\Program Files\iPod
2008-05-20 21:58:07 0 d-------- C:\Documents and Settings\Robert Dixon\Application Data\LimeWire

-- Find3M Report ---------------------------------------------------------------

2008-06-14 01:21:13 0 d-------- C:\Program Files\Lx_cats
2008-06-11 20:08:15 0 d-------- C:\Program Files\Yahoo!
2008-06-08 20:54:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-08 01:35:22 0 d-------- C:\Program Files\WildTangent
2008-06-02 18:23:10 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-21 00:49:21 0 d-------- C:\Program Files\Apple Software Update
2008-05-21 00:43:33 0 d-------- C:\Program Files\iTunes
2008-05-21 00:40:20 0 d-------- C:\Program Files\QuickTime
2008-04-21 18:46:20 0 d-------- C:\Program Files\Norton 360
2008-04-14 13:08:45 0 d-------- C:\Program Files\DeductionPro 2007
2008-04-14 10:37:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-14 10:28:42 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-14 10:28:42 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-04-14 10:28:40 0 d-------- C:\Program Files\PDF995
2008-04-14 10:28:07 0 d-------- C:\Program Files\TaxCut06
2008-04-14 10:27:48 0 d-------- C:\Program Files\TaxCut07

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63A15705-4E5E-45F3-837C-88777FA1C5AC}]
C:\DOCUME~1\Jason\LOCALS~1\Temp\iiffCTNd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7861DC4C-9DED-4A28-9328-AB9DA6DE292F}]
C:\WINDOWS\system32\urqNGwTK.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 02:01 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 08:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 08:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 08:50 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 03:12 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 10:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 10:44 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 05:20 AM]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [07/14/2006 10:47 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [10/04/2006 04:32 PM]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [11/22/2006 04:11 AM]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [11/22/2006 04:12 AM]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [11/22/2006 04:11 AM]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [11/21/2006 07:27 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 04:16 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" []
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/10/2007 10:35 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"SpyEmergency"="C:\Program Files\Spy Emergency 2008\SpyEmergency.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [5/23/2006 7:03:59 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 11:07:32 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [4/28/2008 11:20:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsRKc]
xxyvsRKc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

-- End of Deckard's System Scanner: finished at 2008-06-14 01:28:11 ------------

tetonbob · 06-14-2008, 12:54 AM

SDFix resets background to Windows Default "Bliss" background...you should be able to change it to whatever you desire.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/257924-popups-etc-trojan-cws-more.html

File::
C:\WINDOWS\system32\vbzip10.dll
C:\SpyEmergency.dmp
C:\WINDOWS\sremcon.dat

Folder::
C:\WINDOWS\Um9iZXJ0IERpeG9u
C:\WINDOWS\system32\xrem
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\NMP
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\btz
C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA
C:\Documents and Settings\Jason\Application Data\Spy Emergency
C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency
C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)
C:\WINDOWS\system32\1449
C:\WINDOWS\system32\105772
C:\PROGRA~1\MYWEBS~1

Driver::
fipss

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63A15705-4E5E-45F3-837C-88777FA1C5AC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7861DC4C-9DED-4A28-9328-AB9DA6DE292F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyEmergency"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsRKc]

Collect::
C:\WINDOWS\system32\drivers\fipss.sys
C:\WINDOWS\system32\jmwnw64s.exe
C:\Spymaxx [wyzo].zip
C:\WINDOWS\TEK76.exe
C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll-uninst.exe

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

valdezorbust · 06-14-2008, 01:41 AM

Quote:

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

The log and message box did not open. A zipped file appeared on the desktop named:

[4]-Submit_2008-06-14@2.22.zip

Is this what you need?

When I opened firefox a message box said it was no longer the preferred browser and would I like to set it as my browser now. I did. I guess Combofix uses IE because this happened the last time I used it.

When I try to attach the zipped file it says it is in progress. I guess I will wait for it to do something.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:34, on 2008-06-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DIGServices] "C:\Program Files\ESPNRunTime\DIGServices.exe" /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9882 bytes

tetonbob · 06-14-2008, 08:16 AM

Please double click on ComboFix.exe to run it. A log should be produced.

valdezorbust · 06-14-2008, 02:54 PM

ComboFix 08-06-12.2 - Jason 2008-06-14 15:45:57.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.95 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA
C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA\Logs\Log_CHKONE_2008-06-06.txt
C:\Documents and Settings\Jason\Application Data\Spy Emergency
C:\Documents and Settings\Jason\Application Data\Spy Emergency\Cage\Cage.pfa
C:\Documents and Settings\Jason\Application Data\Spy Emergency\Cage\mcntnkdn.exe.ifc
C:\Documents and Settings\Jason\Application Data\Spy Emergency\Cage\zxdnt3d.cfg.ifc
C:\Documents and Settings\Jason\Application Data\Spy Emergency\Keeplist\Keeplist.pfa
C:\Documents and Settings\Jason\Application Data\Spy Emergency\Log\LogFile_2008-06-06.txt
C:\Documents and Settings\Jason\Application Data\Spy Emergency\news.ini
C:\Documents and Settings\Jason\Application Data\Spy Emergency\settings.ini
C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency
C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency\Keeplist\Keeplist.pfa
C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)
C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)\Spy Emergency 2008 5.0.205.rar
C:\WINDOWS\sremcon.dat
C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll-uninst.exe
C:\WINDOWS\system32\105772
C:\WINDOWS\system32\1449
C:\WINDOWS\system32\1449\~!8525p.spt
C:\WINDOWS\system32\btz
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\jmwnw64s.exe
C:\WINDOWS\system32\NMP
C:\WINDOWS\system32\NMP\antilutx.exe
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\xrem
C:\WINDOWS\system32\xrem\imapIP95.exe
C:\WINDOWS\TEK76.exe
C:\WINDOWS\Um9iZXJ0IERpeG9u

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FIPSS
-------\Service_fipss

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 00:19 . 2008-06-14 00:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-14 00:06 . 2008-06-14 00:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-13 20:59 . 2008-06-14 01:20 <DIR> d-------- C:\SDFix
2008-06-13 00:37 . 2008-06-13 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-11 03:05 . 2008-06-11 03:05 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-10 22:32 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 22:32 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:36 . 2008-06-10 00:36 <DIR> d-------- C:\Documents and Settings\Haley Dixon\Application Data\Webroot
2008-06-09 00:43 . 2008-06-09 00:43 <DIR> d-------- C:\Deckard
2008-06-08 21:15 . 2008-06-08 21:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-08 17:07 . 2008-06-08 21:29 <DIR> d-------- C:\Program Files\Panda Security
2008-06-08 01:47 . 2008-06-08 01:47 <DIR> d-------- C:\ie-spyad_zo
2008-06-07 00:25 . 2008-06-07 00:25 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\Webroot
2008-06-07 00:22 . 2008-06-07 00:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-07 00:22 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-06-07 00:22 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-06-07 00:22 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-06-07 00:22 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Program Files\Webroot
2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Webroot
2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-07 00:21 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-06-07 00:20 . 2008-06-07 00:20 164 --a------ C:\install.dat
2008-06-06 23:37 . 2008-06-06 23:37 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\com.zipeg
2008-06-06 18:59 . 2008-06-06 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NETGATE
2008-06-06 18:48 . 2008-06-06 19:48 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\com.zipeg
2008-06-06 17:06 . 2008-06-06 17:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ESPN
2008-06-06 16:29 . 2008-06-06 16:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-06 16:28 . 2008-06-13 23:18 <DIR> d-------- C:\Temp
2008-06-04 16:39 . 2008-06-04 16:39 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Sonic
2008-06-02 18:38 . 2008-06-02 18:47 <DIR> d-------- C:\Documents and Settings\Jason\Incomplete
2008-06-02 18:37 . 2008-06-02 18:47 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\LimeWire
2008-05-21 09:53 . 2008-05-21 09:53 <DIR> d-------- C:\Program Files\Audacity
2008-05-21 00:42 . 2008-05-21 00:42 <DIR> d-------- C:\Program Files\iPod
2008-05-20 21:58 . 2008-06-06 19:08 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 10:58 --------- d-----w C:\Program Files\Lx_cats
2008-06-12 01:08 --------- d-----w C:\Program Files\Yahoo!
2008-06-10 05:36 --------- d--h--r C:\Documents and Settings\Haley Dixon\Application Data\yahoo!
2008-06-09 01:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-08 06:35 --------- d-----w C:\Program Files\WildTangent
2008-06-02 23:23 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-21 05:49 --------- d-----w C:\Program Files\Apple Software Update
2008-05-21 05:43 --------- d-----w C:\Program Files\iTunes
2008-05-21 05:40 --------- d-----w C:\Program Files\QuickTime
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-05 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 23:46 --------- d-----w C:\Program Files\Norton 360
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 18:08 --------- d-----w C:\Program Files\DeductionPro 2007
2008-04-14 15:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 15:28 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-04-14 15:28 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-04-14 15:28 --------- d-----w C:\Program Files\TaxCut06
2008-04-14 15:28 --------- d-----w C:\Program Files\PDF995
2008-04-14 15:28 --------- d-----w C:\Documents and Settings\Robert Dixon\Application Data\TaxCut
2008-04-14 15:27 --------- d-----w C:\Program Files\TaxCut07
2008-04-14 15:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2007-08-26 06:39 92,064 ----a-w C:\Documents and Settings\Robert Dixon\mqdmmdm.sys
2007-08-26 06:39 9,232 ----a-w C:\Documents and Settings\Robert Dixon\mqdmmdfl.sys
2007-08-26 06:39 79,328 ----a-w C:\Documents and Settings\Robert Dixon\mqdmserd.sys
2007-08-26 06:39 66,656 ----a-w C:\Documents and Settings\Robert Dixon\mqdmbus.sys
2007-08-26 06:39 6,208 ----a-w C:\Documents and Settings\Robert Dixon\mqdmcmnt.sys
2007-08-26 06:39 5,936 ----a-w C:\Documents and Settings\Robert Dixon\mqdmwhnt.sys
2007-08-26 06:39 4,048 ----a-w C:\Documents and Settings\Robert Dixon\mqdmcr.sys
2007-08-26 06:39 25,600 ----a-w C:\Documents and Settings\Robert Dixon\usbsermptxp.sys
2007-08-26 06:39 22,768 ----a-w C:\Documents and Settings\Robert Dixon\usbsermpt.sys
2006-10-04 22:50 88 --sh--r C:\WINDOWS\system32\93E8019154.sys
2006-10-04 22:50 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-13_23.40.59.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 04:32:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 07:26:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 06:35:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-14 05:19:34 7,696,384 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-14 05:19:34 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-14 06:35:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-14 05:19:21 7,696,384 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-14 05:19:21 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-06-14 07:27:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 22:35 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2006-07-14 10:47 106496]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-10-04 16:32 26112]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 04:11 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 04:12 304048]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2006-11-22 04:11 82864]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 07:27 106496]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-23 19:03:59 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\lxctcoms.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 17:03:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-14 11:00:00 C:\WINDOWS\Tasks\wrSpySweeper_L38E9B5FB0FE04D43A21B5B4CD28F2388.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L38E9B5FB0FE04D43A21B5B4CD28F2388
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-06-14 11:00:00 C:\WINDOWS\Tasks\wrSpySweeper_L8941024205E247B198CE21A4D473D968.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L8941024205E247B198CE21A4D473D968
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-06-14 11:00:03 C:\WINDOWS\Tasks\wrSpySweeper_LDE18B0D720A147F6AA8A9CF1FF09988C.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LDE18B0D720A147F6AA8A9CF1FF09988C
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- D:\,E:\,G:
- C:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 15:50:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-06-14 15:53:23
ComboFix-quarantined-files.txt 2008-06-14 20:53:09
ComboFix2.txt 2008-06-14 04:41:33

Pre-Run: 35,736,473,600 bytes free
Post-Run: 35,723,603,968 bytes free

239 --- E O F --- 2008-06-11 08

22

tetonbob · 06-14-2008, 03:21 PM

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

valdezorbust · 06-14-2008, 05:15 PM

No pop ups.

Not running slow.

Spysweeper quarantined trojan.gen and various cookies this morning.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3186 (20080613)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ac868649c98449458f07d8df2417f7ae
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-06-14 10:48:43
# local_time=2008-06-14 05:48:43 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=313631
# found=21
# scan_time=4696
C:\Deckard\System Scanner\20080609134202\backup\DOCUME~1\Jason\LOCALS~1\Temp\MCNTNK~1.TSE Win32/Adware.ZenoSearch application 316AE7C5EA3B9F4C36A9187331286CFA
C:\Deckard\System Scanner\20080609134202\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\BFSYYF4B\TEK76[1].exe Win32/Adware.ZQuest application 6EDC2B4FF456680384C6FFC49D99B9A7
C:\Documents and Settings\Jason\Desktop\[4]-Submit_2008-06-14@2.22.zip multiple infiltrations EED4BBBF58E6D4FF36461E6FF5486622
C:\Documents and Settings\Jason\Desktop\[4]-Submit_2008-06-14@2.22.zip »ZIP »jmwnw64s.exe Win32/Adware.ZenoSearch application 00000000000000000000000000000000
C:\Documents and Settings\Jason\Desktop\[4]-Submit_2008-06-14@2.22.zip »ZIP »TEK76.exe Win32/Adware.ZQuest application 00000000000000000000000000000000
C:\Documents and Settings\Robert Dixon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-3465a4db-6db036cd.class Java/TrojanDownloader.OpenStream.NAC trojan DBEE24E93B7EFBC279DAA14F64E9575E
C:\Documents and Settings\Robert Dixon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-7d3168a1-49184be3.zip Java/TrojanDownloader.OpenStream.NAB trojan 09BCE5E1BB34F7535E41DFD8CDA38FD0
C:\Documents and Settings\Robert Dixon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-7d3168a1-49184be3.zip »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAB trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir probably a variant of Win32/TrojanDropper.VB.NAI trojan B9A8CE8894E25E33D93B254E5F58DD44
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir »ZIP »Setup.exe probably a variant of Win32/TrojanDropper.VB.NAI trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir probably a variant of Win32/TrojanDropper.VB.NAI trojan B431E5573134ADE2858D2AE4CF461BA8
C:\QooBox\Quarantine\C\WINDOWS\system32\g41.exe.vir Win32/Adware.GooochiBiz application 08F22C1AEC5C7D2451E7FD7258671E4E
C:\QooBox\Quarantine\C\WINDOWS\system32\g41.exe.vir »NSIS »ýª€ Win32/Adware.GooochiBiz application 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\gside.exe.vir Win32/Adware.Sidebar application 1E3995535BD2B48F3BF219F04C127A15
C:\QooBox\Quarantine\C\WINDOWS\system32\gside.exe.vir »NSIS »mysidesearch_sidebar.dll Win32/Adware.Sidebar application 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\mcntnkdn.exe.vir Win32/Adware.ZenoSearch application 316AE7C5EA3B9F4C36A9187331286CFA
C:\QooBox\Quarantine\C\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll.vir Win32/Adware.GooochiBiz application 455C48864DFF408376E72520EFB12DC3
C:\QooBox\Quarantine\C\WINDOWS\system32\NMP\antilutx.exe.vir Win32/TrojanDownloader.Small.IAW trojan 7D58E4784FB65A23F6A254A8C4190FF2
C:\QooBox\Quarantine\C\WINDOWS\system32\xrem\imapIP95.exe.vir Win32/TrojanDownloader.Agent.NZJ trojan AE58FD25A5A6F23F5C521EEB50B60C4B
C:\SDFix\backups\backups.zip Win32/TrojanDownloader.VB.AWJ trojan EE270C0238BE8B4156B40B3C33250E1B
C:\SDFix\backups\backups.zip »ZIP »backups/vntiho182328.exe Win32/TrojanDownloader.VB.AWJ trojan 00000000000000000000000000000000

06-12-2008, 08:51 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more What sort of error message do you get when you try to attach the Panda log? Is it a size limitation? If so, try to zip it first, then attach it. ======================== Please run Deckard's System Scanner once again, this time using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\dss.exe" /config Click on "Check All" Click Scan! When finished, it shall produce two logs for you. Post those logs in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-12-2008, 10:59 PM	#4 (permalink)
valdezorbust Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: popups etc. from Trojan & CWS + more I don't have an unzip program. Is there a free one? Last edited by valdezorbust; 06-12-2008 at 11:13 PM.

06-12-2008, 11:23 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more You have Windows XP. It has a zip function built in. http://www.bleepingcomputer.com/tuto...torial105.html To create a ZIP file: Right click on a file, folder, or selection of files and click on the Send To menu option and then choose Compressed (zipped) Folder. The image below shows the location of these menu items: After selecting the Compressed (zipped) Folder menu option, the files will be zipped and you should now see a file that ends with .ZIP. The files name will be the name of the folder or file you compressed. If you compressed a selection of files, it will be the name of the first file in that selection. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-13-2008, 07:32 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more Good job! Please also run the instructions for new Deckard's System Scanner logs. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-13-2008, 04:00 PM	#8 (permalink)
valdezorbust Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: popups etc. from Trojan & CWS + more I have tried at least 5 times and I only get main.txt. Nothing is minimized. Do you want the new main.txt?

06-13-2008, 06:02 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more Are you running DSS exactly as I have instructed? Or are you just double clicking on it to run it? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-13-2008, 06:38 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more That's more like it, let's see what we can do about cleaning this mess. One or more of the identified infections steal information. That includes all passwords, log ins to forums and your email details & other websites and most of all your Bank, Credit card or Paypal details. If this system is used for web based email, online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. It also seems to be able to steal all your emails so anything you have emailed to anybody is no longer confidential. I suggest that you read this article too. --------------------------------------------------------------------------------------------- Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) We'll use this later. --------------------------------------------------------------------------------------------- Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Post the log from ComboFix (C:\ComboFix.txt) at the end of this fix. --------------------------------------------------------------------------------------------- Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder (C:\SDFix) and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Post that log in your next reply. --------------------------------------------------------------------------------------------- Run DSS once again, and post it's log, main.txt --------------------------------------------------------------------------------------------- Please post the logs from: ComboFix (C:\ComboFix.txt) SDFix (C:\SDFix\report.txt) DSS (main.txt) If you have any questions along the way, STOP and ask them before proceeding. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-13-2008, 07:20 PM	#12 (permalink)
valdezorbust Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: popups etc. from Trojan & CWS + more I think I get most of it but this is a little unclear for me: Post the log from ComboFix (C:\ComboFix.txt) at the end of this fix.

06-13-2008, 07:23 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more When you are done with all the instructions in this fix, post that log along with the other two requested logs, rather than stopping to post just the ComboFix log. Some folks will stop and post each log as it's done. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-14-2008, 08:16 AM	#17 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more Please double click on ComboFix.exe to run it. A log should be produced. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-14-2008, 02:54 PM	#18 (permalink)
valdezorbust Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: popups etc. from Trojan & CWS + more ComboFix 08-06-12.2 - Jason 2008-06-14 15:45:57.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.95 [GMT -5:00] Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA C:\Documents and Settings\Jason\Application Data\Se Analyzer Tool SA\Logs\Log_CHKONE_2008-06-06.txt C:\Documents and Settings\Jason\Application Data\Spy Emergency C:\Documents and Settings\Jason\Application Data\Spy Emergency\Cage\Cage.pfa C:\Documents and Settings\Jason\Application Data\Spy Emergency\Cage\mcntnkdn.exe.ifc C:\Documents and Settings\Jason\Application Data\Spy Emergency\Cage\zxdnt3d.cfg.ifc C:\Documents and Settings\Jason\Application Data\Spy Emergency\Keeplist\Keeplist.pfa C:\Documents and Settings\Jason\Application Data\Spy Emergency\Log\LogFile_2008-06-06.txt C:\Documents and Settings\Jason\Application Data\Spy Emergency\news.ini C:\Documents and Settings\Jason\Application Data\Spy Emergency\settings.ini C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency C:\Documents and Settings\Robert Dixon\Application Data\Spy Emergency\Keeplist\Keeplist.pfa C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys) C:\Spy Emergency 2008 5.0.205 (NEW-with serial keys)\Spy Emergency 2008 5.0.205.rar C:\WINDOWS\sremcon.dat C:\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll-uninst.exe C:\WINDOWS\system32\105772 C:\WINDOWS\system32\1449 C:\WINDOWS\system32\1449\~!8525p.spt C:\WINDOWS\system32\btz C:\WINDOWS\system32\expo C:\WINDOWS\system32\inet2 C:\WINDOWS\system32\jmwnw64s.exe C:\WINDOWS\system32\NMP C:\WINDOWS\system32\NMP\antilutx.exe C:\WINDOWS\system32\vbzip10.dll C:\WINDOWS\system32\xrem C:\WINDOWS\system32\xrem\imapIP95.exe C:\WINDOWS\TEK76.exe C:\WINDOWS\Um9iZXJ0IERpeG9u . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FIPSS -------\Service_fipss ((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))) . 2008-06-14 00:19 . 2008-06-14 00:19 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-14 00:06 . 2008-06-14 00:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot 2008-06-13 20:59 . 2008-06-14 01:20 <DIR> d-------- C:\SDFix 2008-06-13 00:37 . 2008-06-13 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip 2008-06-11 03:05 . 2008-06-11 03:05 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-06-10 22:32 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-10 22:32 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-10 00:36 . 2008-06-10 00:36 <DIR> d-------- C:\Documents and Settings\Haley Dixon\Application Data\Webroot 2008-06-09 00:43 . 2008-06-09 00:43 <DIR> d-------- C:\Deckard 2008-06-08 21:15 . 2008-06-08 21:17 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-08 17:07 . 2008-06-08 21:29 <DIR> d-------- C:\Program Files\Panda Security 2008-06-08 01:47 . 2008-06-08 01:47 <DIR> d-------- C:\ie-spyad_zo 2008-06-07 00:25 . 2008-06-07 00:25 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\Webroot 2008-06-07 00:22 . 2008-06-07 00:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2008-06-07 00:22 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2008-06-07 00:22 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2008-06-07 00:22 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2008-06-07 00:22 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Program Files\Webroot 2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Webroot 2008-06-07 00:21 . 2008-06-07 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2008-06-07 00:21 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll 2008-06-07 00:20 . 2008-06-07 00:20 164 --a------ C:\install.dat 2008-06-06 23:37 . 2008-06-06 23:37 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\com.zipeg 2008-06-06 18:59 . 2008-06-06 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NETGATE 2008-06-06 18:48 . 2008-06-06 19:48 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\com.zipeg 2008-06-06 17:06 . 2008-06-06 17:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ESPN 2008-06-06 16:29 . 2008-06-06 16:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo! 2008-06-06 16:28 . 2008-06-13 23:18 <DIR> d-------- C:\Temp 2008-06-04 16:39 . 2008-06-04 16:39 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Sonic 2008-06-02 18:38 . 2008-06-02 18:47 <DIR> d-------- C:\Documents and Settings\Jason\Incomplete 2008-06-02 18:37 . 2008-06-02 18:47 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\LimeWire 2008-05-21 09:53 . 2008-05-21 09:53 <DIR> d-------- C:\Program Files\Audacity 2008-05-21 00:42 . 2008-05-21 00:42 <DIR> d-------- C:\Program Files\iPod 2008-05-20 21:58 . 2008-06-06 19:08 <DIR> d-------- C:\Documents and Settings\Robert Dixon\Application Data\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-14 10:58 --------- d-----w C:\Program Files\Lx_cats 2008-06-12 01:08 --------- d-----w C:\Program Files\Yahoo! 2008-06-10 05:36 --------- d--h--r C:\Documents and Settings\Haley Dixon\Application Data\yahoo! 2008-06-09 01:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-08 06:35 --------- d-----w C:\Program Files\WildTangent 2008-06-02 23:23 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint 2008-05-21 05:49 --------- d-----w C:\Program Files\Apple Software Update 2008-05-21 05:43 --------- d-----w C:\Program Files\iTunes 2008-05-21 05:40 --------- d-----w C:\Program Files\QuickTime 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2008-05-05 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-04-21 23:46 --------- d-----w C:\Program Files\Norton 360 2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-04-14 18:08 --------- d-----w C:\Program Files\DeductionPro 2007 2008-04-14 15:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-14 15:28 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2008-04-14 15:28 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll 2008-04-14 15:28 --------- d-----w C:\Program Files\TaxCut06 2008-04-14 15:28 --------- d-----w C:\Program Files\PDF995 2008-04-14 15:28 --------- d-----w C:\Documents and Settings\Robert Dixon\Application Data\TaxCut 2008-04-14 15:27 --------- d-----w C:\Program Files\TaxCut07 2008-04-14 15:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2007-08-26 06:39 92,064 ----a-w C:\Documents and Settings\Robert Dixon\mqdmmdm.sys 2007-08-26 06:39 9,232 ----a-w C:\Documents and Settings\Robert Dixon\mqdmmdfl.sys 2007-08-26 06:39 79,328 ----a-w C:\Documents and Settings\Robert Dixon\mqdmserd.sys 2007-08-26 06:39 66,656 ----a-w C:\Documents and Settings\Robert Dixon\mqdmbus.sys 2007-08-26 06:39 6,208 ----a-w C:\Documents and Settings\Robert Dixon\mqdmcmnt.sys 2007-08-26 06:39 5,936 ----a-w C:\Documents and Settings\Robert Dixon\mqdmwhnt.sys 2007-08-26 06:39 4,048 ----a-w C:\Documents and Settings\Robert Dixon\mqdmcr.sys 2007-08-26 06:39 25,600 ----a-w C:\Documents and Settings\Robert Dixon\usbsermptxp.sys 2007-08-26 06:39 22,768 ----a-w C:\Documents and Settings\Robert Dixon\usbsermpt.sys 2006-10-04 22:50 88 --sh--r C:\WINDOWS\system32\93E8019154.sys 2006-10-04 22:50 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-13_23.40.59.90 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-14 04:32:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-14 07:26:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-14 06:35:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-06-14 05:19:34 7,696,384 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-06-14 05:19:34 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-06-14 06:35:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-06-14 05:19:21 7,696,384 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-06-14 05:19:21 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat + 2008-06-14 07:27:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4fc.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 22:35 68856] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940] "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2006-07-14 10:47 106496] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-10-04 16:32 26112] "lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 04:11 291760] "Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 04:12 304048] "EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2006-11-22 04:11 82864] "LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 07:27 106496] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-23 19:03:59 24576] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\WINDOWS\\system32\\lxctcoms.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-06-12 17:03:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-14 11:00:00 C:\WINDOWS\Tasks\wrSpySweeper_L38E9B5FB0FE04D43A21B5B4CD28F2388.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L38E9B5FB0FE04D43A21B5B4CD28F2388 - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - C:\ "2008-06-14 11:00:00 C:\WINDOWS\Tasks\wrSpySweeper_L8941024205E247B198CE21A4D473D968.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L8941024205E247B198CE21A4D473D968 - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - C:\ "2008-06-14 11:00:03 C:\WINDOWS\Tasks\wrSpySweeper_LDE18B0D720A147F6AA8A9CF1FF09988C.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LDE18B0D720A147F6AA8A9CF1FF09988C - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - D:\,E:\,G: - C:\ . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-14 15:50:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . Completion time: 2008-06-14 15:53:23 ComboFix-quarantined-files.txt 2008-06-14 20:53:09 ComboFix2.txt 2008-06-14 04:41:33 Pre-Run: 35,736,473,600 bytes free Post-Run: 35,723,603,968 bytes free 239 --- E O F --- 2008-06-11 0822

06-14-2008, 03:21 PM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,169 OS: 2000 Pro; XP Pro; XP Home	Re: popups etc. from Trojan & CWS + more Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-14-2008, 05:15 PM	#20 (permalink)
valdezorbust Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: popups etc. from Trojan & CWS + more No pop ups. Not running slow. Spysweeper quarantined trojan.gen and various cookies this morning. # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3186 (20080613) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=ac868649c98449458f07d8df2417f7ae # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-06-14 10:48:43 # local_time=2008-06-14 05:48:43 (-0600, Central Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=313631 # found=21 # scan_time=4696 C:\Deckard\System Scanner\20080609134202\backup\DOCUME~1\Jason\LOCALS~1\Temp\MCNTNK~1.TSE Win32/Adware.ZenoSearch application 316AE7C5EA3B9F4C36A9187331286CFA C:\Deckard\System Scanner\20080609134202\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\BFSYYF4B\TEK76[1].exe Win32/Adware.ZQuest application 6EDC2B4FF456680384C6FFC49D99B9A7 C:\Documents and Settings\Jason\Desktop\[4]-Submit_2008-06-14@2.22.zip multiple infiltrations EED4BBBF58E6D4FF36461E6FF5486622 C:\Documents and Settings\Jason\Desktop\[4]-Submit_2008-06-14@2.22.zip »ZIP »jmwnw64s.exe Win32/Adware.ZenoSearch application 00000000000000000000000000000000 C:\Documents and Settings\Jason\Desktop\[4]-Submit_2008-06-14@2.22.zip »ZIP »TEK76.exe Win32/Adware.ZQuest application 00000000000000000000000000000000 C:\Documents and Settings\Robert Dixon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-3465a4db-6db036cd.class Java/TrojanDownloader.OpenStream.NAC trojan DBEE24E93B7EFBC279DAA14F64E9575E C:\Documents and Settings\Robert Dixon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-7d3168a1-49184be3.zip Java/TrojanDownloader.OpenStream.NAB trojan 09BCE5E1BB34F7535E41DFD8CDA38FD0 C:\Documents and Settings\Robert Dixon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-7d3168a1-49184be3.zip »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAB trojan 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir probably a variant of Win32/TrojanDropper.VB.NAI trojan B9A8CE8894E25E33D93B254E5F58DD44 C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir »ZIP »Setup.exe probably a variant of Win32/TrojanDropper.VB.NAI trojan 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir probably a variant of Win32/TrojanDropper.VB.NAI trojan B431E5573134ADE2858D2AE4CF461BA8 C:\QooBox\Quarantine\C\WINDOWS\system32\g41.exe.vir Win32/Adware.GooochiBiz application 08F22C1AEC5C7D2451E7FD7258671E4E C:\QooBox\Quarantine\C\WINDOWS\system32\g41.exe.vir »NSIS »ýª€ Win32/Adware.GooochiBiz application 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\system32\gside.exe.vir Win32/Adware.Sidebar application 1E3995535BD2B48F3BF219F04C127A15 C:\QooBox\Quarantine\C\WINDOWS\system32\gside.exe.vir »NSIS »mysidesearch_sidebar.dll Win32/Adware.Sidebar application 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\system32\mcntnkdn.exe.vir Win32/Adware.ZenoSearch application 316AE7C5EA3B9F4C36A9187331286CFA C:\QooBox\Quarantine\C\WINDOWS\system32\{45f32f12-49f1-d857-367f-6465a8586131}.dll.vir Win32/Adware.GooochiBiz application 455C48864DFF408376E72520EFB12DC3 C:\QooBox\Quarantine\C\WINDOWS\system32\NMP\antilutx.exe.vir Win32/TrojanDownloader.Small.IAW trojan 7D58E4784FB65A23F6A254A8C4190FF2 C:\QooBox\Quarantine\C\WINDOWS\system32\xrem\imapIP95.exe.vir Win32/TrojanDownloader.Agent.NZJ trojan AE58FD25A5A6F23F5C521EEB50B60C4B C:\SDFix\backups\backups.zip Win32/TrojanDownloader.VB.AWJ trojan EE270C0238BE8B4156B40B3C33250E1B C:\SDFix\backups\backups.zip »ZIP »backups/vntiho182328.exe Win32/TrojanDownloader.VB.AWJ trojan 00000000000000000000000000000000