Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » Can someone take a look
Search Topic:
Uniqs:
738		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
Malware Protector 2008 - HJT Log »
« HiJack This Log - Desktop Computer  
AuthorAll Replies


boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:

3 edits		Can someone take a look

I have run spybot and mcafee in safe mode. I have also ran the built in spyware remover that came with the internet security suite from the ISP. I have installed MS defender and ran that along with the MS Malicious Software Removal Tool. All found multiple things and removes them. Then they get reinstalled right back. I can not get to an online scanner to do a virus scan. There are pop ups and IE has a hard time pulling a webpage. Earlier I could not get to the task manager and everytime I edited it in the regestery to enable it it would disable itself again. I ran virtumodobegone and that was found and removed. It still comes back though according to spybot. The OS is xp home.
to forum · permalink · · 2008-06-13 11:55:41 · Reply to this


boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:

Re: HJT Log Can someone take a look

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:58 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Messenger\MSMSGS.EXE
c:\windows\system32\jrwnw64m.exe
C:\DOCUME~1\Mary\MYDOCU~1\STEM~1\lsass.exe
C:\WINDOWS\SYSTEM32\a?sembly\?hkdsk.exe
C:\WINDOWS\system32\ncntskdm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.eatel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: gooochi browser optimizer - {0cb83bf9-ba6c-f8e5-ad57-285d5e8b64f0} - C:\WINDOWS\system32\{38904f89-a81b-740a-dbf4-7e3a735c3043}.dll
O2 - BHO: 0 - {49FF4B42-A3F5-4A44-25B3-B11FFE5E45B7} - C:\Program Files\ComPlus Applications\qufasy.dll
O2 - BHO: (no name) - {4D62ADB4-7BB8-471C-99E4-B5B45031513F} - C:\Program Files\MSN Gaming Zone\pevoci66225.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7AAA8D12-2A91-4CB2-AED9-1FBF8A34750C} - C:\WINDOWS\system32\opnmJyxY.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {A2CAF04D-818B-4F53-8397-DE53DD806942} - (no file)
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll
O2 - BHO: (no name) - {A515E038-54FF-1902-AE4D-09A2909B1FB3} - C:\WINDOWS\system32\nkssky.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {CF41B4EE-9FF4-45BC-B7C4-D8A341888F07} - C:\WINDOWS\system32\awtsTMEu.dll (file missing)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: High Speed Security Software Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [AuthStart] C:\Program Files\EATEL\Security Software\app\authstart.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [{D1-13-3C-CF-DW}] c:\windows\system32\jrwnw64m.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ncntskdm.exe DWram
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [089d1360] rundll32.exe "C:\WINDOWS\system32\wqiksxub.dll",b
O4 - HKLM\..\Run: [{f6293933-4719-5d54-4981-ed7421156c6f}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{38904f89-a81b-740a-dbf4-7e3a735c3043}.dll" DllStart
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM0bae20fc] Rundll32.exe "C:\WINDOWS\system32\cewocsgj.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [05097498336311573530326436370389] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Mary\MYDOCU~1\STEM~1\lsass.exe" -vt yazb
O4 - HKCU\..\Run: [Hga] C:\WINDOWS\SYSTEM32\a?sembly\?hkdsk.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\ncntskdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\jrwnw64m.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »download.mcafee.com/molbin/Share···tl32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···12603906
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://www.fjdlegal.com/Remote/msrdp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - »download.mcafee.com/molbin/share···dmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF84E336-9757-48F7-B654-ED2671300C60}: NameServer = 192.168.1.224
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 11492 bytes
--
don't get 2 close 2 my fantasy
to forum · permalink · · 2008-06-13 15:21:10 · Reply to this


boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:		reply to boognish
Re: Can someone take a look

Some of the things found include.
Agent.wf
virtumonde
clientman
coolwwwsearch.*
statcouter
toolbarccc
zenosearch
zedo
--
don't get 2 close 2 my fantasy
to forum · permalink · · 2008-06-13 15:38:12 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

reply to boognish
Why is there no antivirus software installed on this computer? You cannot safely use the internet anymore without an installed, updated, and subscription current active antivirus software program installed.

First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.

First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.

Malware Removal Steps

1. Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here:


• Double-click FixPolicies.exe
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies,
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.

2. Open HijackThis again, System scan only. Checkmark these items:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe,
O2 - BHO: gooochi browser optimizer - {0cb83bf9-ba6c-f8e5-ad57-285d5e8b64f0} - C:\WINDOWS\system32\{38904f89-a81b-740a-dbf4-7e3a735c3043}.dll
O2 - BHO: 0 - {49FF4B42-A3F5-4A44-25B3-B11FFE5E45B7} - C:\Program Files\ComPlus Applications\qufasy.dll
O2 - BHO: (no name) - {4D62ADB4-7BB8-471C-99E4-B5B45031513F} - C:\Program Files\MSN Gaming Zone\pevoci66225.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7AAA8D12-2A91-4CB2-AED9-1FBF8A34750C} - C:\WINDOWS\system32\opnmJyxY.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {A2CAF04D-818B-4F53-8397-DE53DD806942} - (no file)
O2 - BHO: (no name) - {A515E038-54FF-1902-AE4D-09A2909B1FB3} - C:\WINDOWS\system32\nkssky.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {CF41B4EE-9FF4-45BC-B7C4-D8A341888F07} - C:\WINDOWS\system32\awtsTMEu.dll (file missing)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O4 - HKLM\..\Run: [{D1-13-3C-CF-DW}] c:\windows\system32\jrwnw64m.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ncntskdm.exe DWram
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [089d1360] rundll32.exe "C:\WINDOWS\system32\wqiksxub.dll",b
O4 - HKLM\..\Run: [{f6293933-4719-5d54-4981-ed7421156c6f}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{38904f89-a81b-740a-dbf4-7e3a735c3043}.dll" DllStart
O4 - HKLM\..\Run: [BM0bae20fc] Rundll32.exe "C:\WINDOWS\system32\cewocsgj.dll",s
O4 - HKCU\..\Run: [05097498336311573530326436370389] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Mary\MYDOCU~1\STEM~1\lsass.exe" -vt yazb
O4 - HKCU\..\Run: [Hga] C:\WINDOWS\SYSTEM32\a?sembly\?hkdsk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

Click "Fix checked" and when the log panel clears exit HijackThis.

3. Using your mouse, Highlight and then do a Right-click | Copy of the entire Box below:


Open a new Notepad document. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "TempFix.CMD". Exit Notepad.

Double click your new file to run the batch script. You can then delete this new file.

4. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:

Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

5. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:

• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

6. Run HijackThis again, and save the log file.

Submit to the Forum:
•Your MBAM log results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.

7. Please install an antivirus program. If cost is an issue, the following are two good freeware choices:

Avira Antivirus Classic
»www.free-av.com/
(Or better yet, follow this excellent Guide to its installation and use: »www.techsupportforum.com/content···/64.html )

AVAST!
»www.avast.com/eng/avast_4_home.html

:!: Install only one.
Manually update the definition file for the antivirus you choose.
Scan once in Normal Mode.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-06-13 17:47:20 · Reply to this


boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:

reply to boognish
There is an antivirus installed on this computer. It is in the eatel security suite (his ISP). It looks like it is mcafee. It even says it was last updated on June 13th. I haven't hooked it up to the internet or my network that is why I could not do an on line scan. It is not my computer. One of the controllers at work brought it in and wanted it clean. I would reformat and reinstall, but he doesn't want that. If you think that antivirus is crap I have tons of licenses for symantec corp I can put on here.
--
don't get 2 close 2 my fantasy
to forum · permalink · · 2008-06-13 18:02:39 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:		reply to boognish
Just keep going.
I need to see the log results.
to forum · permalink · · 2008-06-13 22:10:50 · Reply to this


boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:

reply to boognish
combo.txt 10,058 byteshijackthis.log 9,005 bytes
The MBAM log got lost in a reboot. Should I rerun it or not ?
--
don't get 2 close 2 my fantasy
to forum · permalink · · 2008-06-16 10:27:44 · Reply to this


lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast

Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
 Opened up:

ComboFix 08-06-15.4 - Mary 2008-06-16 8:41:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.205 [GMT -5:00]
Running from: C:\Documents and Settings\Mary\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mary\My Documents\STEM~1
C:\Documents and Settings\Mary\My Documents\STEM~1\??stem\
C:\Documents and Settings\Mary\My Documents\STEM~1\lsass.exe
C:\Program Files\Common Files\racle~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\BM0bae20fc.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\3522
C:\WINDOWS\SYSTEM32\3522\10680.dll
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\asembl~1\?hkdsk.exe
C:\WINDOWS\system32\g57.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\SYSTEM32\uEMTstwa.ini
C:\WINDOWS\SYSTEM32\uEMTstwa.ini2
C:\WINDOWS\system32\YxyJmnpo.ini
C:\WINDOWS\SYSTEM32\YxyJmnpo.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 07:58 . 2008-06-16 07:58 d-------- C:\Documents and Settings\Mary\Application Data\Malwarebytes
2008-06-16 07:57 . 2008-06-16 07:58 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 07:57 . 2008-06-16 07:57 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-16 07:57 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-16 07:57 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-13 12:36 . 2008-06-13 12:36 d-------- C:\Program Files\Windows Defender
2008-06-13 10:49 . 2008-06-13 10:49 d-------- C:\Program Files\Trend Micro
2008-06-12 17:06 . 2008-06-12 17:06 d-------- C:\VundoFix Backups
2008-06-12 15:17 . 2004-02-21 20:08 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-12 15:17 . 2004-02-21 20:10 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-06-12 15:17 . 2008-06-12 15:17 d-------- C:\Documents and Settings\Administrator
2008-06-12 14:02 . 2004-08-04 00:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys
2008-06-12 14:02 . 2004-08-04 00:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\kbdhid.sys
2008-06-12 14:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-06-12 14:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys
2008-06-09 13:34 . 2008-06-09 13:34 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-06-09 13:23 . 2008-06-09 17:19 d--hs---- C:\WINDOWS\TWFyeSA
2008-06-09 13:23 . 2008-06-09 13:23 d-------- C:\WINDOWS\SYSTEM32\vntiho01
2008-06-01 15:52 . 2008-06-13 08:29 d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 15:52 . 2008-06-13 09:10 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 16:02 . 2008-05-20 16:02 32,768 --a------ C:\WINDOWS\SYSTEM32\vntiho01\vntiho011065.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 19:06 --------- d-----w C:\Program Files\Common Files\Command Software
2008-04-16 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 21:32 636,192 ----a-w C:\Program Files\DMSetup.exe
2006-08-15 11:05 21,254,280 ----a-w C:\Program Files\AdbeRdr707_en_US.exe
2005-01-30 17:27 533,704 ----a-w C:\Program Files\AdbeRdr70_DLM_enu_full.exe
2004-04-11 22:18 1,999,228 ----a-w C:\Program Files\RTFPC110.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\TWFyeSA\nqIVymE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 02:01 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-02-21 20:06 151597]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05 53248]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 11:05 118784]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 17:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 20:28 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"AuthStart"="C:\Program Files\EATEL\Security Software\app\authstart.exe" [2005-08-30 12:35 110592]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-02-21 20:03:16 24576]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-12-25 11:57:06 118784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2004-11-10 08:50]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S1 ASC3350PP;ASC3350PP;C:\WINDOWS\system32\drivers\ASC3350PP.sys []
S2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\portsv.exe service []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 15:38:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-03-13 02:13:22 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2008-06-16 13:48:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-06-16 08:46:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\EATEL\Security Software\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\EATEL\Security Software\app\PRISM.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-16 8:56:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 13:56:25

Pre-Run: 67,128,512,512 bytes free
Post-Run: 67,047,292,928 bytes free

163 --- E O F --- 2008-05-28 08:02:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:38 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\EATEL\Security Software\app\Prism.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.eatel.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: High Speed Security Software Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [AuthStart] C:\Program Files\EATEL\Security Software\app\authstart.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »download.mcafee.com/molbin/Share···tl32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···12603906
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://www.fjdlegal.com/Remote/msrdp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - »download.mcafee.com/molbin/share···dmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF84E336-9757-48F7-B654-ED2671300C60}: NameServer = 192.168.1.224
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9004 bytes
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~
to forum · permalink · · 2008-06-16 10:30:13 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

reply to boognish
1. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" or using your Mouse, do a Right-click Copy:

Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Exit Notepad.
!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)


• Please download OTMoveIt2 by OldTimer to your Desktop (only):


• Please double-click OTMoveIt.exe to run it.
• Click on the green CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
• After the list has been download you'll be asked if you want to Begin cleanup process? Select "Yes".
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

Download and Install Windows Defender by Microsoft (free):

Suggestion: Download and install Comodo BOClean (free):

Suggestion: Download, install, and keep updated Spyware Blaster (free):

• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-06-17 11:58:35 · Reply to this


boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:		reply to boognish
Thank you for your help.
to forum · permalink · · 2008-06-17 16:41:42 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

1 edit		 You are very welcome. That is what this Forum is all about.

I think at the moment you should be OK.

My best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-06-18 03:24:50 · Reply to this
Forums » Up and Running » Security » Security CleanupMalware Protector 2008 - HJT Log »
« HiJack This Log - Desktop Computer  

Sunday, 06-Dec 05:17:31 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [163] Comcast Releasing Promised Usage Meter
· [147] Avast Antivirus Has Gone Mad
· [128] Comcast Makes NBC Universal Acquisition Official
· [124] The Bandwidth Hog Does Not Exist
· [105] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [101] Google Invades ISP, OpenDNS Turf With Google Public DNS
· [85] FCC Ponders Moving From PSTN To IP Voice
· [82] Latest Consumer Reports Survey Not Kind To AT&T
· [80] New Bill Aims To Limit ETFs
· [75] Sprint Defuses GPS Privacy Media Bomb
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· Wife might have to work in.... Iowa for a few months!!! [General Questions]
· False positive in Avast! or is it real? [Security]
· Is there any true cure for, or way to prevent, a hangover? [General Questions]
· [DNS] Google's public DNS... performance increases? [Comcast HSI]
· [Newsgroups] Newzleech down? [Filesharing Software]
· [ PVP] 3.2 DK PvP D/W Spec... [World of Warcraft]
· IE8 InPrivate filter from adblock plus list [Microsoft Help]
· Unable to load You Tube videos_SOLVED_FINALLY! [OptimumOnline]
· First commercial tool to crack BitLocker arrives (Updated) [Security]