Sign in to follow this  
Glasscock84

Please Help!

Recommended Posts

Hello,

I seem to have a mess on my computer. More than a week ago, my computer was infected with some sort of spyware. I tried to use ad-aware and spybot to get rid of it. I even tried to run those programs while system restore was turned off. I still receive pop ups when I use the internet. Now when I turn on my computer I get a message that update.exe could not load because system.dll is missing. I believe this is from trying to delete some of the components through ad-aware and spybot. I really don't know what to do.

Sometimes when I run adaware it recognizes a process that is infected and other times it does not.

Here is my adaware log, this one does not have the process on it.

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Sunday, January 21, 2007 10:45:53 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R145 17.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):8 total references

Softomate Toolbar(TAC index:9):3 total references

Tracking Cookie(TAC index:3):1 total references

Win32.TrojanDownloader.Agent(TAC index:10):3 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

1-21-2007 10:45:53 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Lauren\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Lauren\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1491127789-400990916-1918505900-1006\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1491127789-400990916-1918505900-1006\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1491127789-400990916-1918505900-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1491127789-400990916-1918505900-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1491127789-400990916-1918505900-1006\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 1468

ThreadCreationTime : 1-22-2007 4:15:16 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 1744

ThreadCreationTime : 1-22-2007 4:15:17 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 1908

ThreadCreationTime : 1-22-2007 4:15:18 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2040

ThreadCreationTime : 1-22-2007 4:15:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 188

ThreadCreationTime : 1-22-2007 4:15:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1436

ThreadCreationTime : 1-22-2007 4:15:19 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1708

ThreadCreationTime : 1-22-2007 4:15:20 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1932

ThreadCreationTime : 1-22-2007 4:15:20 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [evteng.exe]

FilePath : C:\Program Files\Intel\Wireless\Bin\

ProcessID : 208

ThreadCreationTime : 1-22-2007 4:15:20 AM

BasePriority : Normal

FileVersion : 9, 0, 1, 12

ProductVersion : 9, 0, 0, 0

ProductName : EvtEng Module

CompanyName : Intel Corporation

FileDescription : EvtEng Module

InternalName : EvtEng

LegalCopyright : Copyright © Intel Corporation 1999-2004

OriginalFilename : EvtEng.EXE

 

#:10 [s24evmon.exe]

FilePath : C:\Program Files\Intel\Wireless\Bin\

ProcessID : 600

ThreadCreationTime : 1-22-2007 4:15:21 AM

BasePriority : Normal

FileVersion : 9, 0, 1, 41

ProductVersion : 9, 0, 0, 0

ProductName : Mobile Unit Support Service

CompanyName : Intel Corporation

FileDescription : Event Monitor - Supports driver extensions to NIC Driver for wireless adapters.

InternalName : S24EvMon

LegalCopyright : Copyright © Intel Corporation 1999-2004

OriginalFilename : S24EvMon.exe

 

#:11 [zcfgsvc.exe]

FilePath : C:\Program Files\Intel\Wireless\Bin\

ProcessID : 804

ThreadCreationTime : 1-22-2007 4:15:22 AM

BasePriority : Normal

FileVersion : 9, 0, 1, 45

ProductVersion : 1, 0, 0, 2

ProductName : ZeroCfgSvc Application

CompanyName : Intel Corporation

FileDescription : ZeroCfgSvc MFC Application

InternalName : ZeroCfgSvc

LegalCopyright : Copyright © Intel Corporation 1999-2004

OriginalFilename : ZeroCfgSvc.EXE

 

#:12 [wlkeeper.exe]

FilePath : C:\Program Files\Intel\Wireless\Bin\

ProcessID : 964

ThreadCreationTime : 1-22-2007 4:15:22 AM

BasePriority : Normal

FileVersion : 9, 0, 1, 14

ProductVersion : 1, 0, 0, 1

ProductName : SSOFSet Service

CompanyName : Intel® Corporation

FileDescription : WLKEEPER

InternalName : WLKEEPER

LegalCopyright : Copyright © 2004

OriginalFilename : WLKEEPER.exe

 

#:13 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1408

ThreadCreationTime : 1-22-2007 4:15:23 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:14 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1488

ThreadCreationTime : 1-22-2007 4:15:23 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:15 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1768

ThreadCreationTime : 1-22-2007 4:15:23 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:16 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 916

ThreadCreationTime : 1-22-2007 4:15:24 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:17 [isafe.exe]

FilePath : C:\Program Files\Yahoo!\Antivirus\

ProcessID : 1208

ThreadCreationTime : 1-22-2007 4:15:24 AM

BasePriority : Normal

FileVersion : Version 11.0.7.4

ProductVersion : Version 11.0.7.4

ProductName : Computer Associates Antivirus

CompanyName : Computer Associates International, Inc.

FileDescription : CA ISafe Service

InternalName : ISafe

LegalCopyright : © 2004 Computer Associates International, Inc.

LegalTrademarks : Trademark of Computer Associates International, Inc.

OriginalFilename : ISafe.exe

 

#:18 [svchosts.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1232

ThreadCreationTime : 1-22-2007 4:15:24 AM

BasePriority : Normal

 

 

#:19 [nicconfigsvc.exe]

FilePath : C:\Program Files\Dell\NICCONFIGSVC\

ProcessID : 1532

ThreadCreationTime : 1-22-2007 4:15:24 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : NicConfigSvc

CompanyName : Dell Inc.

FileDescription : Internal Network Card Power Management Service

InternalName : TestMFCAppWiz

LegalCopyright : Copyright © 2004 Dell Inc.

OriginalFilename : NicConfigSvc.EXE

 

#:20 [distagnt.exe]

FilePath : C:\PROGRA~1\PHAROS\bin\

ProcessID : 516

ThreadCreationTime : 1-22-2007 4:15:25 AM

BasePriority : Normal

FileVersion : 4.60.0567

ProductVersion : 4.60.0567

ProductName : PHAROS

CompanyName : Pharos Systems Limited

FileDescription : PHAROS Distribution Agent

InternalName : DistAgent

LegalCopyright : Copyright © 2000 Pharos Systems Limited

OriginalFilename : DistAgnt.exe

 

#:21 [regsrvc.exe]

FilePath : C:\Program Files\Intel\Wireless\Bin\

ProcessID : 616

ThreadCreationTime : 1-22-2007 4:15:25 AM

BasePriority : Normal

FileVersion : 9, 0, 1, 10

ProductVersion : 9, 0, 0, 0

ProductName : RegSrvc Module

CompanyName : Intel Corporation

FileDescription : RegSrvc Module

InternalName : RegSrvc

LegalCopyright : Copyright © Intel Corporation 1999-2004

OriginalFilename : RegSrvc.EXE

Comments : Registry Interface for Intel Wireless Products

 

#:22 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 728

ThreadCreationTime : 1-22-2007 4:15:25 AM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:23 [vetmsg.exe]

FilePath : C:\Program Files\Yahoo!\Antivirus\

ProcessID : 1556

ThreadCreationTime : 1-22-2007 4:15:26 AM

BasePriority : Normal

FileVersion : Version 11.0.7.4

ProductVersion : Version 11.0.7.4

ProductName : Computer Associates Antivirus

CompanyName : Computer Associates International, Inc.

FileDescription : CA Antivirus Realtime Messaging Service

InternalName : vetmsg

LegalCopyright : © 2004 Computer Associates International, Inc.

LegalTrademarks : Trademark of Computer Associates International, Inc.

OriginalFilename : vetmsg.exe

 

#:24 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 764

ThreadCreationTime : 1-22-2007 4:15:28 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:25 [1xconfig.exe]

FilePath : C:\PROGRA~1\Intel\Wireless\Bin\

ProcessID : 1360

ThreadCreationTime : 1-22-2007 4:15:28 AM

BasePriority : Normal

FileVersion : 9, 0, 1, 33

ProductVersion : 9, 0, 0, 0

ProductName : 8021XConfig Module

CompanyName : Intel

FileDescription : 8021XConfig Module

InternalName : 8021XConfig

LegalCopyright : Copyright © Intel Corporation 1999-2004

OriginalFilename : 1XConfig.EXE

Comments : Wrapper for MH. (Service COM)

 

#:26 [wmiprvse.exe]

FilePath : C:\WINDOWS\system32\wbem\

ProcessID : 1316

ThreadCreationTime : 1-22-2007 4:15:28 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : Wmiprvse.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : Wmiprvse.exe

 

#:27 [apoint.exe]

FilePath : C:\Program Files\Apoint\

ProcessID : 2324

ThreadCreationTime : 1-22-2007 4:15:30 AM

BasePriority : Normal

FileVersion : 5.5.101.141

ProductVersion : 5.5.101.141

ProductName : Alps Pointing-device Driver

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver

InternalName : Alps Pointing-device Driver

LegalCopyright : Copyright © 1999-2004 Alps Electric Co., Ltd.

OriginalFilename : Apoint.exe

 

#:28 [hkcmd.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2372

ThreadCreationTime : 1-22-2007 4:15:30 AM

BasePriority : Normal

FileVersion : 3.0.0.4020

ProductVersion : 7.0.0.4020

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : HKCMD.EXE

 

#:29 [jusched.exe]

FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\

ProcessID : 2524

ThreadCreationTime : 1-22-2007 4:15:30 AM

BasePriority : Normal

 

 

#:30 [ifrmewrk.exe]

FilePath : C:\Program Files\Intel\Wireless\Bin\

ProcessID : 2544

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : 9, 0, 1, 19

ProductVersion : 9, 0, 0, 0

ProductName : Intel PROSet/Wireless

CompanyName : Intel Corporation

FileDescription : Intel Framework MFC Application

InternalName : Framework

LegalCopyright : Copyright © Intel Corporation 1999-2004

OriginalFilename : iFramewrk.exe

 

#:31 [pcmservice.exe]

FilePath : C:\Program Files\Dell\Media Experience\

ProcessID : 2552

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : 1.0.1611

ProductVersion : 1.0.1611

ProductName : PCM2Launcher Application

CompanyName : CyberLink Corp.

FileDescription : PowerCinema Resident Program for Dell

InternalName : PowerCinema Resident Program for Dell

LegalCopyright : Copyright c 2003 CyberLink Corp.

OriginalFilename : PCM2Launcher.EXE

 

#:32 [quickset.exe]

FilePath : C:\Program Files\Dell\QuickSet\

ProcessID : 2588

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : QuickSet Application

FileDescription : QuickSet MFC Application

InternalName : direct

LegalCopyright : Copyright © 2001

OriginalFilename : direct.EXE

 

#:33 [dvdlauncher.exe]

FilePath : C:\Program Files\CyberLink\PowerDVD\

ProcessID : 2636

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : 3.00.0000

ProductVersion : 3.00.0000

ProductName : Cyberlink PowerCinema 3.0

CompanyName : CyberLink Corp.

FileDescription : CyberLink PowerCinema Resident Program

InternalName : CyberLink PowerCinema Resident Program

LegalCopyright : Copyright © 2003 CyberLink Corp.

OriginalFilename : DVDLauncher.EXE

 

#:34 [mmtask.exe]

FilePath : C:\Program Files\Musicmatch\Musicmatch Jukebox\

ProcessID : 2692

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : 9.0.0.1

ProductVersion : 9.0.0.1

ProductName : Musicmatch Jukebox

CompanyName : Musicmatch Inc.

FileDescription : <Musicmatch System Tray Application>

InternalName : mmtask.exe

LegalCopyright : © Musicmatch Inc.. All rights reserved.

OriginalFilename : mmtask.exe

 

#:35 [tfswctrl.exe]

FilePath : C:\WINDOWS\system32\dla\

ProcessID : 2804

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : 1.04.08a

CompanyName : Sonic Solutions

FileDescription : Drive Letter Access Component

LegalCopyright : Copyright © 2004 Sonic Solutions

 

#:36 [issch.exe]

FilePath : C:\Program Files\Common Files\InstallShield\UpdateService\

ProcessID : 2948

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : 3, 10, 100, 1155

ProductVersion : 3, 10

ProductName : InstallShield Update Service

CompanyName : InstallShield Software Corporation

FileDescription : InstallShield Update Service Scheduler

InternalName : Scheduler

LegalCopyright : Copyright © 1990-2004 InstallShield Software Corporation

OriginalFilename : issch.exe

 

#:37 [cavtray.exe]

FilePath : C:\Program Files\Yahoo!\Antivirus\

ProcessID : 2980

ThreadCreationTime : 1-22-2007 4:15:31 AM

BasePriority : Normal

FileVersion : Version 11.0.7.4

ProductVersion : Version 11.0.7.4

ProductName : Computer Associates Antivirus

CompanyName : Computer Associates International, Inc.

FileDescription : CA Antivirus System Tray Application

InternalName : CAVTray

LegalCopyright : © 2004 Computer Associates International, Inc.

LegalTrademarks : Trademark of Computer Associates International, Inc.

OriginalFilename : CAVTray.exe

 

#:38 [cavrid.exe]

FilePath : C:\Program Files\Yahoo!\Antivirus\

ProcessID : 3020

ThreadCreationTime : 1-22-2007 4:15:32 AM

BasePriority : Normal

FileVersion : Version 11.0.7.4

ProductVersion : Version 11.0.7.4

ProductName : Computer Associates Antivirus

CompanyName : Computer Associates International, Inc.

FileDescription : CA Antivirus Realtime Infection Report

InternalName : CAVRid

LegalCopyright : © 2004 Computer Associates International, Inc.

LegalTrademarks : Trademark of Computer Associates International, Inc.

OriginalFilename : CAVRid.exe

 

#:39 [yop.exe]

FilePath : C:\PROGRA~1\Yahoo!\YOP\

ProcessID : 3044

ThreadCreationTime : 1-22-2007 4:15:32 AM

BasePriority : Normal

FileVersion : 2005, 4, 22, 3

ProductVersion : 1, 0, 0, 409

ProductName : Dashboard Module

CompanyName : Yahoo! Inc.

FileDescription : Dashboard Module

InternalName : Dashboard

LegalCopyright : Copyright 2004, Yahoo! Inc.

OriginalFilename : Dashboard.exe

 

#:40 [dsagnt.exe]

FilePath : C:\Program Files\Dell Support\

ProcessID : 3252

ThreadCreationTime : 1-22-2007 4:15:32 AM

BasePriority : Below Normal

FileVersion : 1, 1, 1, 121

ProductVersion : 1, 1, 1, 121

ProductName : Dell Support

CompanyName : Gteko Ltd.

FileDescription : Dell Support

InternalName : AUAgent

LegalCopyright : Copyright © 2000 - 2005 Gteko Ltd.

OriginalFilename : AUAgent.exe

 

#:41 [aim.exe]

FilePath : C:\PROGRA~1\AIM\

ProcessID : 3500

ThreadCreationTime : 1-22-2007 4:15:32 AM

BasePriority : Normal

FileVersion : 5.9.3861

ProductVersion : 5.9.3861

ProductName : AOL Instant Messenger

CompanyName : America Online, Inc.

FileDescription : AOL Instant Messenger

InternalName : AIM

LegalCopyright : Copyright © 1996-2005 America Online, Inc.

OriginalFilename : AIM.EXE

 

#:42 [apntex.exe]

FilePath : C:\Program Files\Apoint\

ProcessID : 3880

ThreadCreationTime : 1-22-2007 4:15:34 AM

BasePriority : Normal

FileVersion : 5.5.1.19

ProductVersion : 5.5.1.19

ProductName : Alps Pointing-device Driver for Windows NT/2000/XP

CompanyName : Alps Electric Co., Ltd.

FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP

InternalName : Alps Pointing-device Driver for Windows NT/2000/XP

LegalCopyright : Copyright © 1998-2004 Alps Electric Co., Ltd.

OriginalFilename : ApntEx.exe

 

#:43 [spoolsv.exe]

FilePath : C:\PROGRA~1\ECURIT~1\

ProcessID : 3956

ThreadCreationTime : 1-22-2007 4:15:34 AM

BasePriority : Normal

 

 

#:44 [??ool32.exe]

FilePath : C:\WINDOWS\system32\?ystem\

ProcessID : 4000

ThreadCreationTime : 1-22-2007 4:15:35 AM

BasePriority : Normal

 

 

#:45 [dlg.exe]

FilePath : C:\Program Files\Digital Line Detect\

ProcessID : 2364

ThreadCreationTime : 1-22-2007 4:15:37 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : BVRP Software TestLine

CompanyName : BVRP Software

FileDescription : Digital Line Detection

InternalName : TestLine

LegalCopyright : Copyright © 2003

OriginalFilename : TestLine.exe

 

#:46 [ycommon.exe]

FilePath : C:\PROGRA~1\Yahoo!\browser\

ProcessID : 3328

ThreadCreationTime : 1-22-2007 4:15:40 AM

BasePriority : Normal

FileVersion : 2003, 9, 3, 1

ProductVersion : 1, 0, 0, 1

ProductName : YCommon Exe Module

CompanyName : Yahoo!, Inc.

FileDescription : YCommon Exe Module

InternalName : YCommonExe

LegalCopyright : Copyright 2003 Yahoo! Inc.

OriginalFilename : YCommon.EXE

 

#:47 [wuauclt.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3588

ThreadCreationTime : 1-22-2007 4:16:29 AM

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Automatic Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wuauclt.exe

 

#:48 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ProcessID : 2416

ThreadCreationTime : 1-22-2007 4:44:34 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : IEXPLORE.EXE

 

#:49 [autodown.exe]

FilePath : C:\Program Files\Yahoo!\Antivirus\

ProcessID : 3388

ThreadCreationTime : 1-22-2007 4:45:30 AM

BasePriority : Normal

FileVersion : Version 2.1.0.2

ProductVersion : Version 2.1.0.2

ProductName : Update Antivirus Application

CompanyName : Computer Associates International, Inc.

FileDescription : Update Antivirus Application

InternalName : AutoDown

LegalCopyright : Copyright © 1989-2003 Computer Associates International, Inc.

OriginalFilename : AutoDown.exe

 

#:50 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 3872

ThreadCreationTime : 1-22-2007 4:45:38 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 8

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 8

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Softomate Toolbar Object Recognized!

Type : RegValue

Data :

TAC Rating : 9

Category : Data Miner

Comment : "{544E5FC5-063C-1033-0627-051114200001}"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Windows\CurrentVersion\Run

Value : {544E5FC5-063C-1033-0627-051114200001}

 

Softomate Toolbar Object Recognized!

Type : File

Data : update.exe

TAC Rating : 9

Category : Data Miner

Comment :

Object : c:\program files\common files\{544e5fc5-063c-1033-0627-051114200001}\

 

 

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Virus

Comment : "IpWins"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Windows\CurrentVersion\Run

Value : IpWins

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : File

Data : ipwins.exe

TAC Rating : 10

Category : Virus

Comment :

Object : c:\program files\ipwindows\

 

 

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 12

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected]~~local~~[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:23

Value : Cookie:[email protected]~~local~~/

Expires : 1-30-2007 4:13:58 AM

LastSync : Hits:23

UseCount : 0

Hits : 23

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 13

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Softomate Toolbar Object Recognized!

Type : File

Data : b122.exe

TAC Rating : 9

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Lauren\Local Settings\Temp\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 14

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 14

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.TrojanDownloader.Agent Object Recognized!

Type : Folder

TAC Rating : 10

Category : Data Miner

Comment : Win32.TrojanDownloader.Agent

Object : C:\Program Files\Ipwindows

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 15

 

10:55:37 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:09:43.578

Objects scanned:141003

Objects identified:7

Objects ignored:0

New critical objects:7

 

Edit --> Moved to correct forum

Share this post


Link to post
Share on other sites

Hello there and welcome to Lavasoft's security forum.

My name is David, I will be helping you with your log today.

 

Click here to download HijackThis.

Save HJTsetup.exe to your Desktop.

Double click on the HJTsetup.exe icon to start the program.

Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.

Put a check by Create a desktop icon then click Next again.

Continue to follow the rest of the prompts from there.

At the final dialogue box click Finish and it will launch HijackThis.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click Save to save the log file and post it in your next reply.

Share this post


Link to post
Share on other sites

Ok David here it is. Thank you for helping me.

 

Logfile of HijackThis v1.99.1

Scan saved at 8:58:10 AM, on 1/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Yahoo!\Antivirus\ISafe.exe

C:\WINDOWS\system32\svchosts.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\PROGRA~1\PHAROS\bin\DistAgnt.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\Ipwindows\ipwins.exe

C:\Program Files\Common Files\{544E5FC5-063D-1033-0627-051114200001}\Update.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\PROGRA~1\AIM\aim.exe

C:\PROGRA~1\ECURIT~1\spoolsv.exe

C:\WINDOWS\system32\?ystem\??ool32.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

R3 - URLSearchHook: (no name) - {FBDEFD83-146F-49BC-1931-39C62F483398} - C:\WINDOWS\system32\emhxjc.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {FBDEFD83-146F-49BC-1931-39C62F483398} - C:\WINDOWS\system32\emhxjc.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [{544E5FC5-063C-1033-0627-051114200001}] "C:\Program Files\Common Files\{544E5FC5-063C-1033-0627-051114200001}\Update.exe" te-110-12-0000213

O4 - HKLM\..\Run: [ipWins] C:\Program Files\Ipwindows\ipwins.exe

O4 - HKLM\..\Run: [{544E5FC5-063D-1033-0627-051114200001}] "C:\Program Files\Common Files\{544E5FC5-063D-1033-0627-051114200001}\Update.exe" te-110-12-0000213

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [sen] "C:\PROGRA~1\ECURIT~1\spoolsv.exe" -vt yazb

O4 - HKCU\..\Run: [Huuozco] C:\WINDOWS\system32\?ystem\??ool32.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: PHAROS Distribution Agent (PSDistributionAgent) - Pharos Systems Limited - C:\PROGRA~1\PHAROS\bin\DistAgnt.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Share this post


Link to post
Share on other sites

Hello Glasscock84, my name is David, welcome to Lavasoft!

 

My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you have been infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

 

I've research the entries, and found this information, in case you find it useful:

 

W32/Sdbot-LM is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Sdbot-LM spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

 

So, that's the first thing, I recommend you change your passwords.

Here are two useful links, in case you wish to read more on the infection you have:

http://www.sophos.com/virusinfo/analyses/w32sdbotlm.html

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=46981

 

Ok, now onto the removal, please follow these instructions exactly as posted, it's important. Also it is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

 

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.

Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.

When asked if you want to reboot now, say No.:

C:\WINDOWS\system32\svchosts.exe

 

Please do the same for this file:

C:\WINDOWS\system32\emhxjc.dll

 

When asked if you want to reboot now, say Yes.

 

After the reboot, click on start, then control panel, and then double-click on add/remove programs.

From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

 

MyWaySA

Ipwindows <--also anything that is related to myway.

 

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

 

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

R3 - URLSearchHook: (no name) - {FBDEFD83-146F-49BC-1931-39C62F483398} - C:\WINDOWS\system32\emhxjc.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

O2 - BHO: (no name) - {FBDEFD83-146F-49BC-1931-39C62F483398} - C:\WINDOWS\system32\emhxjc.dll

O4 - HKLM\..\Run: [{544E5FC5-063C-1033-0627-051114200001}] "C:\Program Files\Common Files\{544E5FC5-063C-1033-0627-051114200001}\Update.exe" te-110-12-0000213

O4 - HKLM\..\Run: [ipWins] C:\Program Files\Ipwindows\ipwins.exe

O4 - HKLM\..\Run: [{544E5FC5-063D-1033-0627-051114200001}] "C:\Program Files\Common Files\{544E5FC5-063D-1033-0627-051114200001}\Update.exe" te-110-12-0000213

O4 - HKCU\..\Run: [sen] "C:\PROGRA~1\ECURIT~1\spoolsv.exe" -vt yazb

O4 - HKCU\..\Run: [Huuozco] C:\WINDOWS\system32\?ystem\??ool32.exe

O20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dll (file missing)

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Please click on start > run > and type: sc delete COM+ Messages

Hit enter and let the DOS windows open and close. This is normal.

 

Download Bobbi Flekman's RegSearch from

http://www.bleepingcomputer.com/files/regsearch.php

 

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

 

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.

Copy / Paste the following line into the top Search Box:

 

svchosts

 

Now hit OK. After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe

 

Please download Combofix to your desktop.

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

 

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

 

In the next reply, we should have a few folders/files to delete.

I want to see the combofix log first though..

 

David :)

Share this post


Link to post
Share on other sites

Ok I did everything that you told me to do and then I restarted my computer.

When I enabled my wireless and use internet explorer my home page was changed to MSN.

Here are those logs.

"Lauren" - 07-01-24 17:08:18 Service Pack 2

ComboFix 07-01-24.2 - Running from: "C:\Documents and Settings\Lauren\Desktop"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

C:\Program Files\Ipwindows\ipwins.dll

C:\Program Files\Ipwindows\ipwins.exe

C:\WINDOWS\system32\bszip.dll

C:\WINDOWS\system32\unsvchosts.lzma

C:\WINDOWS\system32\wintsvsu.exe

C:\Program Files\Common Files\{344E5~1

C:\Program Files\Common Files\{544E5~1

C:\Program Files\Common Files\{544E5~2

C:\Program Files\InetGet2

C:\Program Files\Inetget2

C:\Program Files\Ipwindows

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\qoobox\purity\Program Files\ECURIT~1

C:\qoobox\purity\Program Files\ECURIT~1\spoolsv.exe

C:\qoobox\purity\Program Files\ECURIT~1\?ecurity

C:\qoobox\purity\WINDOWS\system32\YSTEM~1

C:\qoobox\purity\WINDOWS\system32\YSTEM~1\??ool32.exe

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-12-24 to 2007-01-24 ))))))))))))))))))))))))))))))))))

 

 

2007-01-24 17:04 <DIR> d-------- C:\regsearch

2007-01-24 08:57 <DIR> d-------- C:\Program Files\Hijackthis

2007-01-15 03:37 <DIR> d-------- C:\Program Files\MSXML 4.0

2007-01-15 03:37 <DIR> d-------- C:\8fb19a912e3307a11c690ec478424dcd

2007-01-14 18:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft

2007-01-13 14:59 2,114 --a------ C:\44180766.exe

2007-01-11 02:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-25 00:32 -------- d-------- C:\Program Files\mystery case files - ravenhearst

2006-12-15 22:02 -------- d-------- C:\Program Files\bfg

2006-12-07 00:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll

2006-11-26 18:23 -------- d-------- C:\Program Files\kodak

2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"

"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"

"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"

@=""

"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"

"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""

"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"

"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""

"mmtask"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"

"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""

"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""

"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

 

 

Completion time: 07-01-24 17:11:27

 

Logfile of HijackThis v1.99.1

Scan saved at 5:15:50 PM, on 1/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Yahoo!\Antivirus\ISafe.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\PROGRA~1\PHAROS\bin\DistAgnt.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: PHAROS Distribution Agent (PSDistributionAgent) - Pharos Systems Limited - C:\PROGRA~1\PHAROS\bin\DistAgnt.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

I hope I didn't mess it all up when I restarted.

Thanks again.

Lauren

Share this post


Link to post
Share on other sites

Good work Lauren! :D Things are looking much better.

 

However, I still need the research log from you, it doesn't appear as though you posted it.

 

Go to this page.

Where it says, browse to the file that you want to submit, copy and paste the filepath at the bottom in the field:

Then click the Send File button below:

 

C:\44180766.exe

 

Please perform this online scan: Kaspersky Webscan

Read the Requirements and Privacy statement, then select "Accept"

A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

Select "Install" to download the ActiveX controls that allows ActiveScan to run.

 

When the download is complete it will say ready, click "Next"

Select a target to scan: Click on "My Computer"

When the scan is complete choose to save the results as "Save as Text"

Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

 

Don't forget the regsearch log too..

 

David

Share this post


Link to post
Share on other sites

I have already noticed changes in my computer so far. The pop ups have stopped and the message at startup doesn't appear any more.

 

Here is the regsearch log:

Windows Registry Editor Version 5.00

 

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.2.0

 

; Results at 1/24/2007 5:05:26 PM for strings:

; 'svchosts'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]

"f"="C:\\WINDOWS\\system32\\svchosts.exe"

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"b"="C:\\WINDOWS\\system32\\svchosts.exe"

 

; End Of The Log...

 

The Kaspersky Scan

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Thursday, January 25, 2007 11:54:41 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 25/01/2007

Kaspersky Anti-Virus database records: 247241

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

 

Scan Statistics:

Total number of scanned objects: 42005

Number of viruses found: 1

Number of infected objects: 1 / 0

Number of suspicious objects: 0

Duration of the scan process: 00:33:54

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\Lauren\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Lauren\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Lauren\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped

C:\Documents and Settings\Lauren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Lauren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Lauren\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Lauren\Local Settings\History\History.IE5\MSHist012007012520070126\index.dat Object is locked skipped

C:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Lauren\ntuser.dat Object is locked skipped

C:\Documents and Settings\Lauren\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000621.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{412617BB-5633-4B05-A0A8-24B26CE35A00}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

 

 

Hijack This log:

Logfile of HijackThis v1.99.1

Scan saved at 11:55:39 AM, on 1/25/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Yahoo!\Antivirus\ISafe.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\PROGRA~1\PHAROS\bin\DistAgnt.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: PHAROS Distribution Agent (PSDistributionAgent) - Pharos Systems Limited - C:\PROGRA~1\PHAROS\bin\DistAgnt.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

Alright, I hope that is everything.

Thanks,

Lauren

Share this post


Link to post
Share on other sites

Great stuff Lauren! :)

 

The file you uploaded is indeed bad.

Please navigate to the following file and delete it:

C:\44180766.exe

 

We need to purge your infected system restore points.

On the Desktop, right-click My Computer, then click Properties.

Click the System Restore tab near the top of the window.

Check Turn off System Restore, click Apply, and then click OK.

 

We want to create a new, clean restore point. Please first reboot your computer.

You will be asked to turn system restore on again, click "yes".

On the Desktop, right-click My Computer, then click Properties.

Click the System Restore tab near the top of the window.

Check Turn off System Restore, click Apply, and then click OK.

 

Click Start > All Programs > Accessories > System Tools, and select System Restore.

In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.

Type a description for your new restore point - Something like "After trojan/spyware cleanup".

Click Create, and after it has created the restore point, click "Close".

 

You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following:

Go to Start | Control Panel | Add/Remove Programs

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

It should have this icon next to it: javaicon.gif

Select it and click Remove.

Then download and install the newest version from here (scroll down to find it):

Java Runtime Environment (JRE) 6

 

Reboot a final time and let me know how the PC is running...

Share this post


Link to post
Share on other sites

Glad I could help! ^_^

The latest log is looking clean!

Follow this list and your potential for being infected again will be reduced dramatically.

 

Use an Anti Virus Software -

* It is very important that your computer has an anti-virus software running on your machine.

* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:

* Click here for more information on -> Computer Safety On line - Anti-Virus

* I would recommend Grisoft's AVG or AVAST.

* These are the more secure and better ones.

 

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

 

Use a Firewall -

* I can not stress how important it is that you use a Firewall on your computer.

* Without a firewall your computer is susceptible to being hacked and taken over.

* Simply using a Firewall in its default configuration can lower your risk greatly.

* For an article on Firewalls and a listing of some available ones see the link below:

* Click here for more information on -> Computer Safety On line - Software Firewalls

* I would recommend ZoneAlarm as a firewall as it's easy to use.

 

Visit Microsoft's Windows Update Site Frequently -

* It is important that you visit http://www.windowsupdate.com regularly.

* This will ensure your computer has always the latest security updates available installed on your computer.

* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

 

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.

* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.

* You should also scan your computer with program on a regular basis just as you would an anti virus software.

* A tutorial on installing & using this product can be found here:

* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

 

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.

* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.

* A tutorial on installing & using this product can be found here:

* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

 

Install Javacools© SpywareBlaster -

* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.

* A article on anti-malware products with links for this program and others can be found here:

* Click here for more info -->Computer Safety on line - Anti-Malware

 

Update all these programs regularly - Make sure you update all the programs I have listed regularly.

Without regular updates you WILL NOT be protected when new malicious programs are released.

 

If you have any addition questions just ask...

David

Share this post


Link to post
Share on other sites

David,

Thank you so much, you really were a life saver.

This computer is barely a year old and I have already been infected twice on it with bad spyware. My desktop doesn't get infected so I think I am picking it up from the network at school. Do you recommend I get mozilla/firefox or anything else, besides the previously mentioned, I can do to protect myself from the poor security at school?

Thanks again!

Lauren

Share this post


Link to post
Share on other sites

You are welcome Lauren!

 

The steps in my last post are all recommended ways of increasing your protection and security on the PC. If you follow these steps then your computer should be well on the way to being protected against a whole host of threats that could infect your computer. Also, I see that you are running yahoo antivirus. Now, this may be your antivirus of choice, but it is not as reputable as most of the others on the market. There are various free antivirus programs such as AVG and Avast which I can promise you will do a much better job of protecting your computer. It might be an idea to install one of the above and run a full scan; if you do, note that you must uninstall Yahoo Antivirus, as I do not recommend that you have more than one anti virus product installed and running on your computer at a time. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't.

 

You might also like to read here In the mean time http://www.bleepingcomputer.com/forums/topic2520.html; it's excellent info that's not too time consuming to read. Some of it is replicated in my own all-clean speech, but there are specific instructions for securing internet explorer. It is up to you whether or not you wish to switch to Firefox or not, most will say that Firefox is more secure. However, I've been using internet explorer for years without a single problem.

 

Also have a read here:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

 

I hope this helps...

David

Share this post


Link to post
Share on other sites
Sign in to follow this