Sign in to follow this  
sshlisky

Infected Computer

Recommended Posts

I believe I have been targeted by pest trap.

 

My PC:

-runs slower that usual

-occasionally loads a short cut to pest trap experminators

-will not let create a desktop background

 

I have:

 

-updated to the present version of Ad Aware 1.06

-run a full scan and a quick scan

-ran a hijack this scan

-found one pest trap file after the scan and deleted it

-rebooted computer

-have run full scan semantec anti virus software

-problems did not go away

 

Logfile of HijackThis v1.99.1

Scan saved at 10:35:43 PM, on 1/25/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Share this post


Link to post
Share on other sites

Hello bosh55, and welcome to Lavasoft Support Forums. My name is Charles and I will be dealing with your log today.

I'd like you to run a full scan of your system using Ad-Aware, making sure that you save the log. Post that in your next reply, please, along with a new HijackThis log.

Thanks,

Charles

Share this post


Link to post
Share on other sites
Hello bosh55, and welcome to Lavasoft Support Forums. My name is Charles and I will be dealing with your log today.

I'd like you to run a full scan of your system using Ad-Aware, making sure that you save the log. Post that in your next reply, please, along with a new HijackThis log.

Thanks,

Charles

 

 

Thanks for your help. I am pasting the logs here. Let me know if you'd rather have attachments

 

Steve

 

Ad-Aware Log:

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Saturday, January 27, 2007 1:04:34 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R147 25.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):11 total references

Other(TAC index:5):1 total references

PestTrap(TAC index:3):4 total references

Tracking Cookie(TAC index:3):1 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

1-27-2007 1:04:34 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Steve\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Steve\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 572

ThreadCreationTime : 1-27-2007 8:49:15 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 636

ThreadCreationTime : 1-27-2007 8:49:17 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 660

ThreadCreationTime : 1-27-2007 8:49:18 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 704

ThreadCreationTime : 1-27-2007 8:49:18 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 716

ThreadCreationTime : 1-27-2007 8:49:18 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 896

ThreadCreationTime : 1-27-2007 8:49:19 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 944

ThreadCreationTime : 1-27-2007 8:49:19 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 980

ThreadCreationTime : 1-27-2007 8:49:20 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1028

ThreadCreationTime : 1-27-2007 8:49:20 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1088

ThreadCreationTime : 1-27-2007 8:49:20 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [lexbces.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1356

ThreadCreationTime : 1-27-2007 8:49:22 PM

BasePriority : Normal

FileVersion : 9.45

ProductVersion : 9.45

ProductName : MarkVision for Windows (32 bit)

CompanyName : Lexmark International, Inc.

FileDescription : LexBce Service

InternalName : LexBce Service

LegalCopyright : © 1993 - 2004 Lexmark International, Inc.

OriginalFilename : LexBceS.exe

 

#:12 [lexpps.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1380

ThreadCreationTime : 1-27-2007 8:49:22 PM

BasePriority : Normal

FileVersion : 9.45

ProductVersion : 9.45

ProductName : MarkVision for Windows (32 bit)

CompanyName : Lexmark International, Inc.

FileDescription : LEXPPS.EXE

InternalName : LEXPPS

LegalCopyright : © 1993 - 2004 Lexmark International, Inc.

OriginalFilename : LEXPPS.EXE

Comments : MarkVision for Windows '95 New P2P Server (32-bit)

 

#:13 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1388

ThreadCreationTime : 1-27-2007 8:49:22 PM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:14 [defwatch.exe]

FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\

ProcessID : 1544

ThreadCreationTime : 1-27-2007 8:49:25 PM

BasePriority : Normal

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Virus Definition Daemon

InternalName : DefWatch

LegalCopyright : Copyright © 1998 Symantec Corporation

OriginalFilename : DefWatch.exe

 

#:15 [mmerefresh.exe]

FilePath : C:\Program Files\Digidesign\Drivers\

ProcessID : 1560

ThreadCreationTime : 1-27-2007 8:49:25 PM

BasePriority : Normal

FileVersion : 6.4.0.138

ProductVersion : 6.4

ProductName : Digidesign MME Binder

CompanyName : Digidesign, A Division of Avid Technology, Inc.

FileDescription : Digidesign MME Binder

InternalName : MMERefresh.exe

LegalCopyright : ©1999-2004 Digidesign, A Division of Avid Technology, Inc.

OriginalFilename : MMERefresh.exe

 

#:16 [rtvscan.exe]

FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\

ProcessID : 1620

ThreadCreationTime : 1-27-2007 8:49:25 PM

BasePriority : Normal

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

ProductName : Symantec AntiVirus

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

LegalCopyright : Copyright © Symantec Corporation 1991-2002

 

#:17 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1676

ThreadCreationTime : 1-27-2007 8:49:25 PM

BasePriority : Normal

FileVersion : 5.1.2600.3038 (xpsp_sp2_gdr.061119-2303)

ProductVersion : 5.1.2600.3038

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : snmp.exe

 

#:18 [viewpointservice.exe]

FilePath : C:\Program Files\Viewpoint\Common\

ProcessID : 1700

ThreadCreationTime : 1-27-2007 8:49:25 PM

BasePriority : Normal

FileVersion : 2, 0, 0, 54

ProductVersion : 2, 0, 0, 54

ProductName : Viewpoint Manager

CompanyName : Viewpoint Corporation

FileDescription : ViewMgr

InternalName : Viewpoint Manager

LegalCopyright : Copyright © 2004

OriginalFilename : ViewMgr.exe

Comments : Viewpoint Manager

 

#:19 [wltrysvc.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1748

ThreadCreationTime : 1-27-2007 8:49:25 PM

BasePriority : Normal

 

 

#:20 [bcmwltry.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1832

ThreadCreationTime : 1-27-2007 8:49:25 PM

BasePriority : Normal

FileVersion : 3.40.74.0

ProductVersion : 3.40.74.0

ProductName : Dell Wireless WLAN Card Wireless Network Tray Applet

CompanyName : Dell Computer Corporation

FileDescription : Dell Wireless WLAN Card Wireless Network Tray Applet

InternalName : bcmwltry.exe

LegalCopyright : 1998-2003, Dell Computer Corporation All Rights Reserved.

OriginalFilename : bcmwltry.exe

 

#:21 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 296

ThreadCreationTime : 1-27-2007 8:49:28 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:22 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1928

ThreadCreationTime : 1-27-2007 8:49:35 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:23 [vptray.exe]

FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\

ProcessID : 1820

ThreadCreationTime : 1-27-2007 8:49:37 PM

BasePriority : Normal

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

ProductName : Symantec AntiVirus

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

LegalCopyright : Copyright © Symantec Corporation 1991-2002

 

#:24 [realsched.exe]

FilePath : C:\Program Files\Common Files\Real\Update_OB\

ProcessID : 2068

ThreadCreationTime : 1-27-2007 8:49:37 PM

BasePriority : Normal

FileVersion : 0.1.0.3249

ProductVersion : 0.1.0.3249

ProductName : RealPlayer (32-bit)

CompanyName : RealNetworks, Inc.

FileDescription : RealNetworks Scheduler

InternalName : schedapp

LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004

LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

OriginalFilename : realsched.exe

 

#:25 [mm_tray.exe]

FilePath : C:\Program Files\MUSICMATCH\Musicmatch Jukebox\

ProcessID : 2100

ThreadCreationTime : 1-27-2007 8:49:38 PM

BasePriority : Normal

FileVersion : 10.00.3058

ProductVersion : 10.00.3058

ProductName : Musicmatch Jukebox

CompanyName : Musicmatch, Inc.

FileDescription : mm_tray

InternalName : mm_tray

LegalCopyright : Copyright © Musicmatch 1998-2004

LegalTrademarks :

OriginalFilename : mm_tray.exe

 

#:26 [type32.exe]

FilePath : C:\Program Files\Microsoft IntelliType Pro\

ProcessID : 2116

ThreadCreationTime : 1-27-2007 8:49:38 PM

BasePriority : Normal

 

 

#:27 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2124

ThreadCreationTime : 1-27-2007 8:49:38 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:28 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 2152

ThreadCreationTime : 1-27-2007 8:49:38 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:29 [viewmgr.exe]

FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\

ProcessID : 1776

ThreadCreationTime : 1-27-2007 8:50:26 PM

BasePriority : Normal

FileVersion : 2, 0, 0, 54

ProductVersion : 2, 0, 0, 54

ProductName : Viewpoint Manager

CompanyName : Viewpoint Corporation

FileDescription : ViewMgr

InternalName : Viewpoint Manager

LegalCopyright : Copyright © 2004

OriginalFilename : ViewMgr.exe

Comments : Viewpoint Manager

 

#:30 [wscntfy.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2060

ThreadCreationTime : 1-27-2007 8:50:27 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Security Center Notification App

InternalName : wscntfy.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wscntfy.exe

 

#:31 [28108.exe]

FilePath : C:\Documents and Settings\Steve\Application Data\

ProcessID : 2300

ThreadCreationTime : 1-27-2007 8:50:31 PM

BasePriority : Normal

 

 

PestTrap Object Recognized!

Type : Process

Data : 28108.exe

TAC Rating : 3

Category : Malware

Comment :

Object : C:\Documents and Settings\Steve\Application Data\

 

 

"C:\Documents and Settings\Steve\Application Data\28108.exe"Process terminated successfully

"C:\Documents and Settings\Steve\Application Data\28108.exe"Process terminated successfully

 

#:32 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 3608

ThreadCreationTime : 1-27-2007 9:03:34 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 12

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 12

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

PestTrap Object Recognized!

Type : RegValue

Data :

TAC Rating : 3

Category : Malware

Comment : "Windows installer"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Windows\CurrentVersion\Run

Value : Windows installer

 

PestTrap Object Recognized!

Type : File

Data : winstall.exe

TAC Rating : 3

Category : Malware

Comment :

Object : c:\

 

 

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 14

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 1-26-2009 12:51:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 15

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

PestTrap Object Recognized!

Type : File

Data : 28108.exe

TAC Rating : 3

Category : Malware

Comment :

Object : C:\Documents and Settings\Steve\Application Data\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 16

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Other Object Recognized!

Type : File

Data : 28108.EXE-0675F757.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 17

 

1:32:11 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:27:37.533

Objects scanned:152918

Objects identified:7

Objects ignored:0

New critical objects:7

 

 

 

 

 

Highjack This LogFile:

 

Logfile of HijackThis v1.99.1

Scan saved at 1:44:31 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Share this post


Link to post
Share on other sites

Hey there,

The way you're posting the logs is fine as it is, you don't need to attach them.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

I see you have Viewpoint installed:

Viewpoint Manager is considered to be foistware rather than malware, since it is installed without your approval but doesn't actually spy or do anything "bad". This will soon change, according to this article, which you may want to read: http://www.clickz.com/news/article.php/3561546

I recommend that you remove the Viewpoint products. If you do decide to get rid of it, please remove all references to Viewpoint from Add/Remove Programs.

 

Please download AVG Anti-Spyware to your Desktop.

Start the set-up program by double clicking the installer.

Follow the on screen instructions to install the program, making sure that "Launch AVG Anti-Spyware" is checked.

Click the Update tab then select Start update; a progress bar will show the updates being installed.

Now press the Scanner icon, and click the Settings tab.

Click Recommended actions, then set it to Quarantine.

Close the program now, we will scan with it later on.

 

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

 

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab

 

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

 

Now, please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Set your system to show all files.

Navigate to Start | My Computer | Tools | Folder Options.

Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

 

Next, please find and delete the following files (if present):

 

C:\WINDOWS\system32\ntsystem.exe

C:\WINDOWS\system32\shellexp.exe

 

Also delete this folder if you removed Viewpoint:

 

C:\Program Files\Viewpoint

 

Let's clean out your temporary internet files:

Close all open windows before we start.

Go to Start | Control Panel | Internet Options | General.

Click the Delete Cookies button.

Next to it, click the Delete Files button.

When prompted, place a check in: 'Delete all offline content', click OK

 

If you have Firefox installed, we need to clean out these temporary files as well:

Go to Tools | Options.

Click Privacy.

Press the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to finish, before closing it.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

Now we'll clean other temporary files and your Recycle Bin:

Go to Start | Run | type: cleanmgr | OK.

Let it scan your system for files to remove.

Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.

Press OK to remove them.

 

Launch AVG Anti-Spyware by double clicking the icon on your Desktop.

Press the Scanner icon.

Then click on the Complete System Scan button.

If any infections are found, you will be asked for an action; select Apply all actions.

Now press the Reports icon at the top.

Choose Save report as and save the text file to your Desktop.

Please post this log in your next reply.

 

Reboot into Normal Mode again.

 

Please post me back the AVG report, along with a new HijackThis log.

Thanks,

Charles

Share this post


Link to post
Share on other sites

I have done all you asked:

 

I could not find:

 

WINDOWS\ntsystem.exe

WINDOWS\shellexp.exe

 

AVG Report:

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 8:41:53 PM 1/27/2007

 

+ Scan result:

 

 

 

C:\Documents and Settings\Steve\Local Settings\Temp\temp.fr533E\Uninstall.exe -> Adware.Spysheriff : Cleaned.

C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-28e0253d-5358d288.class -> Downloader.OpenStream.y : Cleaned.

C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-4d4dbbee.class -> Downloader.OpenStream.y : Cleaned.

C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-52d8b673-519ffd07.class -> Downloader.OpenStream.y : Cleaned.

C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5a8a5bd2-10b2b66f.class -> Downloader.OpenStream.y : Cleaned.

C:\Documents and Settings\Sally\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned.

C:\Documents and Settings\Sally\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.

C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Information : Cleaned.

C:\Documents and Settings\Sally\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.

C:\Documents and Settings\Sally\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.

C:\Documents and Settings\Sally\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.

 

 

::Report end

 

 

 

HighjackThis Log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:49:22 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

 

 

 

Steve

Share this post


Link to post
Share on other sites

Hi Steve,

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Please download ATF Cleaner. Don't run it yet

 

Now, please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Double click ATF-Cleaner.exe to run the program.

Under Main choose Select All

Click the Empty Selected button.

 

If you use Firefox browser

Click Firefox at the top and choose Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

If you use Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

Click Exit on the main menu to close the program.

 

Click Start | Control Panel.

Double click the Java icon.

Click Settings under "Temporary Internet Files".

Press Delete Files.

A window will open with three options to clear the cache.

- Delete Files

- View Applications

- View Applets

Click OK on "Delete Temporary Files" window.

Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on "Temporary Files Settings" window.

 

Reboot into Normal Mode.

 

Let me know in your next post- how are things running now?

Thanks,

Charles

Share this post


Link to post
Share on other sites

Charles,

 

I was able to do the ATF Cleaner stuff.

 

Then went to Start|Control Panel| saw Java Plug-in instead of Java icon| clicked on Java icon|clicked on all the different tabs| only saw "settings" under "Browser" did not see "temporary internet files" at all

 

This version of JAva is Java 2 Runtime Environment Standard Edition 1.4.2

03

 

Then I rebooted on Normal mode. Problems still exist, now I am Emailing you back.

 

Steve

 

 

 

 

 

 

Hi Steve,

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Please download ATF Cleaner. Don't run it yet

 

Now, please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Double click ATF-Cleaner.exe to run the program.

Under Main choose Select All

Click the Empty Selected button.

 

If you use Firefox browser

Click Firefox at the top and choose Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

If you use Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.

Note: If you would like to keep your saved passwords, please click "No" at the prompt.

 

Click Exit on the main menu to close the program.

 

Click Start | Control Panel.

Double click the Java icon.

Click Settings under "Temporary Internet Files".

Press Delete Files.

A window will open with three options to clear the cache.

- Delete Files

- View Applications

- View Applets

Click OK on "Delete Temporary Files" window.

Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on "Temporary Files Settings" window.

 

Reboot into Normal Mode.

 

Let me know in your next post- how are things running now?

Thanks,

Charles

Share this post


Link to post
Share on other sites

Hey Steve,

Don't worry about the Java steps, ATF Cleaner will have removed them hopefully.

Problems still exist, now I am Emailing you back.

Cna you let me know what kind of problems you are still having, please.

Thanks,

Charles

Share this post


Link to post
Share on other sites

I still have ALL original problems and that pest trap icon (red circle with a white X) has reasserted itself in my tray telling me my computer is infected:

 

-Computer is slower than normal

 

-Cannot put a picture on my desktop; when I go into CONTROL PANEL| DISPLAY| DESKTOP TAB| BACKGROUND will only allow me to select none.

 

-I have seen no change and have not cruised the internet since I did your last procedure.

 

Steve

 

 

 

Hey Steve,

Don't worry about the Java steps, ATF Cleaner will have removed them hopefully.

 

Cna you let me know what kind of problems you are still having, please.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Just thought you might ask for a Full system scan and a HighJackThis Log, so I just went ahead did them:

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Tuesday, January 30, 2007 7:45:36 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R147 25.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):14 total references

Other(TAC index:5):1 total references

PestTrap(TAC index:3):4 total references

Tracking Cookie(TAC index:3):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

1-30-2007 7:45:36 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Steve\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Steve\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\internet explorer

Description : last download directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-3895149624-824023418-3409356266-1006\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 568

ThreadCreationTime : 1-31-2007 3:12:40 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 632

ThreadCreationTime : 1-31-2007 3:12:42 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 656

ThreadCreationTime : 1-31-2007 3:12:43 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 700

ThreadCreationTime : 1-31-2007 3:12:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 712

ThreadCreationTime : 1-31-2007 3:12:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 884

ThreadCreationTime : 1-31-2007 3:12:44 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 940

ThreadCreationTime : 1-31-2007 3:12:44 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 976

ThreadCreationTime : 1-31-2007 3:12:45 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1024

ThreadCreationTime : 1-31-2007 3:12:45 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1084

ThreadCreationTime : 1-31-2007 3:12:45 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [lexbces.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1352

ThreadCreationTime : 1-31-2007 3:12:47 AM

BasePriority : Normal

FileVersion : 9.45

ProductVersion : 9.45

ProductName : MarkVision for Windows (32 bit)

CompanyName : Lexmark International, Inc.

FileDescription : LexBce Service

InternalName : LexBce Service

LegalCopyright : © 1993 - 2004 Lexmark International, Inc.

OriginalFilename : LexBceS.exe

 

#:12 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1380

ThreadCreationTime : 1-31-2007 3:12:47 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:13 [lexpps.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1388

ThreadCreationTime : 1-31-2007 3:12:47 AM

BasePriority : Normal

FileVersion : 9.45

ProductVersion : 9.45

ProductName : MarkVision for Windows (32 bit)

CompanyName : Lexmark International, Inc.

FileDescription : LEXPPS.EXE

InternalName : LEXPPS

LegalCopyright : © 1993 - 2004 Lexmark International, Inc.

OriginalFilename : LEXPPS.EXE

Comments : MarkVision for Windows '95 New P2P Server (32-bit)

 

#:14 [guard.exe]

FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\

ProcessID : 1540

ThreadCreationTime : 1-31-2007 3:12:49 AM

BasePriority : Normal

FileVersion : 7, 5, 0, 47

ProductVersion : 7, 5, 0, 47

ProductName : AVG Anti-Spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : AVG Anti-Spyware guard

InternalName : AVG Anti-Spyware guard

LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.

OriginalFilename : guard.exe

 

#:15 [defwatch.exe]

FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\

ProcessID : 1556

ThreadCreationTime : 1-31-2007 3:12:49 AM

BasePriority : Normal

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Virus Definition Daemon

InternalName : DefWatch

LegalCopyright : Copyright © 1998 Symantec Corporation

OriginalFilename : DefWatch.exe

 

#:16 [mmerefresh.exe]

FilePath : C:\Program Files\Digidesign\Drivers\

ProcessID : 1572

ThreadCreationTime : 1-31-2007 3:12:49 AM

BasePriority : Normal

FileVersion : 6.4.0.138

ProductVersion : 6.4

ProductName : Digidesign MME Binder

CompanyName : Digidesign, A Division of Avid Technology, Inc.

FileDescription : Digidesign MME Binder

InternalName : MMERefresh.exe

LegalCopyright : ©1999-2004 Digidesign, A Division of Avid Technology, Inc.

OriginalFilename : MMERefresh.exe

 

#:17 [rtvscan.exe]

FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\

ProcessID : 1632

ThreadCreationTime : 1-31-2007 3:12:49 AM

BasePriority : Normal

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

ProductName : Symantec AntiVirus

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

LegalCopyright : Copyright © Symantec Corporation 1991-2002

 

#:18 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1700

ThreadCreationTime : 1-31-2007 3:12:50 AM

BasePriority : Normal

FileVersion : 5.1.2600.3038 (xpsp_sp2_gdr.061119-2303)

ProductVersion : 5.1.2600.3038

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : snmp.exe

 

#:19 [wltrysvc.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1732

ThreadCreationTime : 1-31-2007 3:12:50 AM

BasePriority : Normal

 

 

#:20 [bcmwltry.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1792

ThreadCreationTime : 1-31-2007 3:12:50 AM

BasePriority : Normal

FileVersion : 3.40.74.0

ProductVersion : 3.40.74.0

ProductName : Dell Wireless WLAN Card Wireless Network Tray Applet

CompanyName : Dell Computer Corporation

FileDescription : Dell Wireless WLAN Card Wireless Network Tray Applet

InternalName : bcmwltry.exe

LegalCopyright : 1998-2003, Dell Computer Corporation All Rights Reserved.

OriginalFilename : bcmwltry.exe

 

#:21 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 364

ThreadCreationTime : 1-31-2007 3:12:58 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:22 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1224

ThreadCreationTime : 1-31-2007 3:13:03 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:23 [vptray.exe]

FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\

ProcessID : 2200

ThreadCreationTime : 1-31-2007 3:13:06 AM

BasePriority : Normal

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

ProductName : Symantec AntiVirus

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

LegalCopyright : Copyright © Symantec Corporation 1991-2002

 

#:24 [realsched.exe]

FilePath : C:\Program Files\Common Files\Real\Update_OB\

ProcessID : 2224

ThreadCreationTime : 1-31-2007 3:13:06 AM

BasePriority : Normal

FileVersion : 0.1.0.3249

ProductVersion : 0.1.0.3249

ProductName : RealPlayer (32-bit)

CompanyName : RealNetworks, Inc.

FileDescription : RealNetworks Scheduler

InternalName : schedapp

LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004

LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

OriginalFilename : realsched.exe

 

#:25 [mm_tray.exe]

FilePath : C:\Program Files\MUSICMATCH\Musicmatch Jukebox\

ProcessID : 2272

ThreadCreationTime : 1-31-2007 3:13:07 AM

BasePriority : Normal

FileVersion : 10.00.3058

ProductVersion : 10.00.3058

ProductName : Musicmatch Jukebox

CompanyName : Musicmatch, Inc.

FileDescription : mm_tray

InternalName : mm_tray

LegalCopyright : Copyright © Musicmatch 1998-2004

LegalTrademarks :

OriginalFilename : mm_tray.exe

 

#:26 [type32.exe]

FilePath : C:\Program Files\Microsoft IntelliType Pro\

ProcessID : 2352

ThreadCreationTime : 1-31-2007 3:13:07 AM

BasePriority : Normal

 

 

#:27 [avgas.exe]

FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\

ProcessID : 2384

ThreadCreationTime : 1-31-2007 3:13:07 AM

BasePriority : Normal

FileVersion : 7, 5, 0, 50

ProductVersion : 7, 5, 0, 50

ProductName : AVG Anti-Spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : AVG Anti-Spyware

InternalName : AVG Anti-Spyware

LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.

OriginalFilename : avgas.exe

 

#:28 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2480

ThreadCreationTime : 1-31-2007 3:13:08 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:29 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 3340

ThreadCreationTime : 1-31-2007 3:13:14 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:30 [wscntfy.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2368

ThreadCreationTime : 1-31-2007 3:13:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Security Center Notification App

InternalName : wscntfy.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wscntfy.exe

 

#:31 [48878.exe]

FilePath : C:\Documents and Settings\Steve\Application Data\

ProcessID : 3468

ThreadCreationTime : 1-31-2007 3:14:29 AM

BasePriority : Normal

 

 

PestTrap Object Recognized!

Type : Process

Data : 48878.exe

TAC Rating : 3

Category : Malware

Comment :

Object : C:\Documents and Settings\Steve\Application Data\

 

 

"C:\Documents and Settings\Steve\Application Data\48878.exe"Process terminated successfully

"C:\Documents and Settings\Steve\Application Data\48878.exe"Process terminated successfully

 

#:32 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2980

ThreadCreationTime : 1-31-2007 3:44:29 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 15

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 15

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

PestTrap Object Recognized!

Type : RegValue

Data :

TAC Rating : 3

Category : Malware

Comment : "Windows installer"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Windows\CurrentVersion\Run

Value : Windows installer

 

PestTrap Object Recognized!

Type : File

Data : winstall.exe

TAC Rating : 3

Category : Malware

Comment :

Object : c:\

 

 

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 17

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 1-29-2011 7:41:38 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 18

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Sally\Cookies\[email protected][1].txt

 

PestTrap Object Recognized!

Type : File

Data : 48878.exe

TAC Rating : 3

Category : Malware

Comment :

Object : C:\Documents and Settings\Steve\Application Data\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 20

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 20

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Other Object Recognized!

Type : File

Data : 48878.EXE-366BEE23.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 21

 

8:23:00 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:37:23.636

Objects scanned:145393

Objects identified:8

Objects ignored:0

New critical objects:8

 

 

 

 

 

 

 

 

 

HighJackThis Log

 

Logfile of HijackThis v1.99.1

Scan saved at 8:41:59 PM, on 1/30/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Share this post


Link to post
Share on other sites

Hey there,

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

We are going to boot into Safe Mode later in the fix, and there is no internet access.

 

Please download SmitfraudFix (by S!Ri)

Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

 

Now, please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

Once in Safe Mode, open the SmitfraudFix folder again.

Double-click smitfraudfix.cmd.

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

Download Combofix to your Desktop.

Double click combofix.exe

Follow the prompts that are displayed.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Post that in your next reply.

 

Download F-Secure Blacklight and save it to your Desktop.

Double click on blbeta.exe to start the program.

Accept the user agreement and click Next.

Click Scan. You will then see a list of all the items found.

Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.

BlackLight will have created a log on your Desktop named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).

Post that log in your next reply.

 

Please post me back the rapport.txt, along with a new HijackThis log, the BlackLihg tlog, and the ComboFix.txt. You'll probably need more than one reply to fit it all in...

Thanks,

Charles

Share this post


Link to post
Share on other sites

Charles,

 

I now have the ability load a desktop, so that is fixed. There is one more thing you should know. Just before I had this problem I loaded the browser Windows Explorer 7. I had been using Windows Explorer 6. Could this be causing my computer to be running a little slower?

 

Thanks again for all your time.

 

BlackLight (blbeta found no files so no report was logged) I did an "fsbl" search of my harddrive and no files showed up. Here are the other scans.

 

SmifFraud

 

"Steve" - 07-01-31 21:24:45 Service Pack 2

ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Steve\Desktop"

 

((((((((((((((((((((((((((((((( Files Created from 2006-12-31 to 2007-01-31 ))))))))))))))))))))))))))))))))))

 

 

2007-01-31 21:15 2,044 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2007-01-31 21:09 79,360 --a------ C:\WINDOWS\SYSTEM32\swxcacls.exe

2007-01-31 21:09 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe

2007-01-31 21:09 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe

2007-01-31 21:09 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe

2007-01-31 21:09 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe

2007-01-31 21:09 135,168 --a------ C:\WINDOWS\SYSTEM32\swreg.exe

2007-01-27 18:54 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys

2007-01-27 18:54 <DIR> d-------- C:\Program Files\Grisoft

2007-01-25 22:04 <DIR> d-------- C:\Program Files\HijackThis

2007-01-24 23:32 <DIR> d-------- C:\Program Files\Lavasoft

2007-01-24 22:26 <DIR> d-------- C:\WINDOWS\WBEM

2007-01-24 22:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\en-US

2007-01-24 22:24 <DIR> d--h-c--- C:\WINDOWS\ie7

2007-01-24 21:59 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll

2007-01-24 21:58 <DIR> d-------- C:\WINDOWS\network diagnostic

2007-01-24 21:56 <DIR> d-------- C:\8a30082beaec534b01e638

2007-01-21 00:36 17,920 --a------ C:\WINDOWS\SYSTEM32\xlibgfl254.dll

2007-01-21 00:36 <DIR> d-------- C:\DOCUME~1\Steve\Application Data\ultra

2007-01-10 20:05 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-01-24 23:32 -------- d-------- C:\DOCUME~1\Steve\Application Data\lavasoft

2007-01-24 21:20 -------- d-------- C:\Program Files\enigma software group

2006-12-26 00:48 -------- d-------- C:\Program Files\windows media connect 2

2006-11-20 00:42 33280 --a------ C:\WINDOWS\SYSTEM32\snmp.exe

2006-11-07 21:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll

2006-11-07 21:03 6049280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll

2006-11-07 21:03 50688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll

2006-11-07 21:03 458752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll

2006-11-07 21:03 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll

2006-11-07 21:03 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll

2006-11-07 21:03 180736 --------- C:\WINDOWS\SYSTEM32\ieui.dll

2006-11-07 21:03 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll

2006-11-07 03:27 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll

2006-11-07 03:27 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll

2006-11-07 03:26 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll

2006-11-07 03:26 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll

2006-11-07 03:26 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe

2006-11-07 03:26 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll

2006-11-07 03:26 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll

2006-11-07 03:26 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe

2006-11-07 03:26 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll

2006-11-07 03:25 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"MMTray"="\"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mm_tray.exe\""

"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdwareFilter Background Protection.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AdwareFilter Background Protection.lnk"

"backup"="C:\\WINDOWS\\pss\\AdwareFilter Background Protection.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program Files\\AdwareFilter\\adwarefilter.exe "

"item"="AdwareFilter Background Protection"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"

"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\WINDOWS\\SYSTEM32\\sistray.exe "

"item"="Utility Tray"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AGRSMMSG"

"hkey"="HKLM"

"command"="AGRSMMSG.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Apoint"

"hkey"="HKLM"

"command"="C:\\Program Files\\Apoint\\Apoint.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MMERefresh"

"hkey"="HKLM"

"command"="C:\\Program Files\\Digidesign\\Drivers\\MMERefresh.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="tfswctrl"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DVDLauncher"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="IPClient"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="IPMon32"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mimboot"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mm_tray"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mm_tray.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PCMService"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="realsched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="sgtray"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dumprep 0 -u"

"hkey"="HKLM"

"command"="%systemroot%\\system32\\dumprep 0 -u"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="winstall"

"hkey"="HKCU"

"command"="C:\\winstall.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll, xlibgfl254.dll"

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

Completion time: 07-01-31 21:30:44

 

 

Combo Fix

 

"Steve" - 07-01-31 21:24:45 Service Pack 2

ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Steve\Desktop"

 

((((((((((((((((((((((((((((((( Files Created from 2006-12-31 to 2007-01-31 ))))))))))))))))))))))))))))))))))

 

 

2007-01-31 21:15 2,044 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2007-01-31 21:09 79,360 --a------ C:\WINDOWS\SYSTEM32\swxcacls.exe

2007-01-31 21:09 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe

2007-01-31 21:09 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe

2007-01-31 21:09 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe

2007-01-31 21:09 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe

2007-01-31 21:09 135,168 --a------ C:\WINDOWS\SYSTEM32\swreg.exe

2007-01-27 18:54 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys

2007-01-27 18:54 <DIR> d-------- C:\Program Files\Grisoft

2007-01-25 22:04 <DIR> d-------- C:\Program Files\HijackThis

2007-01-24 23:32 <DIR> d-------- C:\Program Files\Lavasoft

2007-01-24 22:26 <DIR> d-------- C:\WINDOWS\WBEM

2007-01-24 22:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\en-US

2007-01-24 22:24 <DIR> d--h-c--- C:\WINDOWS\ie7

2007-01-24 21:59 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll

2007-01-24 21:58 <DIR> d-------- C:\WINDOWS\network diagnostic

2007-01-24 21:56 <DIR> d-------- C:\8a30082beaec534b01e638

2007-01-21 00:36 17,920 --a------ C:\WINDOWS\SYSTEM32\xlibgfl254.dll

2007-01-21 00:36 <DIR> d-------- C:\DOCUME~1\Steve\Application Data\ultra

2007-01-10 20:05 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-01-24 23:32 -------- d-------- C:\DOCUME~1\Steve\Application Data\lavasoft

2007-01-24 21:20 -------- d-------- C:\Program Files\enigma software group

2006-12-26 00:48 -------- d-------- C:\Program Files\windows media connect 2

2006-11-20 00:42 33280 --a------ C:\WINDOWS\SYSTEM32\snmp.exe

2006-11-07 21:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll

2006-11-07 21:03 6049280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll

2006-11-07 21:03 50688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll

2006-11-07 21:03 458752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll

2006-11-07 21:03 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll

2006-11-07 21:03 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll

2006-11-07 21:03 180736 --------- C:\WINDOWS\SYSTEM32\ieui.dll

2006-11-07 21:03 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll

2006-11-07 03:27 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll

2006-11-07 03:27 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll

2006-11-07 03:26 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll

2006-11-07 03:26 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll

2006-11-07 03:26 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe

2006-11-07 03:26 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll

2006-11-07 03:26 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll

2006-11-07 03:26 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe

2006-11-07 03:26 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll

2006-11-07 03:25 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"MMTray"="\"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mm_tray.exe\""

"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdwareFilter Background Protection.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AdwareFilter Background Protection.lnk"

"backup"="C:\\WINDOWS\\pss\\AdwareFilter Background Protection.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program Files\\AdwareFilter\\adwarefilter.exe "

"item"="AdwareFilter Background Protection"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"

"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\WINDOWS\\SYSTEM32\\sistray.exe "

"item"="Utility Tray"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AGRSMMSG"

"hkey"="HKLM"

"command"="AGRSMMSG.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Apoint"

"hkey"="HKLM"

"command"="C:\\Program Files\\Apoint\\Apoint.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MMERefresh"

"hkey"="HKLM"

"command"="C:\\Program Files\\Digidesign\\Drivers\\MMERefresh.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="tfswctrl"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DVDLauncher"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="IPClient"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="IPMon32"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mimboot"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mm_tray"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mm_tray.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PCMService"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="realsched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="sgtray"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dumprep 0 -u"

"hkey"="HKLM"

"command"="%systemroot%\\system32\\dumprep 0 -u"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="winstall"

"hkey"="HKCU"

"command"="C:\\winstall.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll, xlibgfl254.dll"

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

Completion time: 07-01-31 21:30:44

 

 

 

HighJack This

 

Logfile of HijackThis v1.99.1

Scan saved at 9:52:03 PM, on 1/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Share this post


Link to post
Share on other sites

Hey there,

It looks to me like you posted the ComboFix log twice, and forgot to include C:\rapport.txt. Please post me this in your next reply.

Thanks,

Charles

Share this post


Link to post
Share on other sites
Hey there,

It looks to me like you posted the ComboFix log twice, and forgot to include C:\rapport.txt. Please post me this in your next reply.

Thanks,

Charles

 

 

 

oops sorry,

 

SmitFraudFix v2.137

 

Scan done at 21:15:13.92, Wed 01/31/2007

Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\warnhp.html Deleted

C:\Documents and Settings\Steve\Application Data\Install.dat Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

 

Steve

Share this post


Link to post
Share on other sites

Hey Steve,

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

 

Please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

 

Backup the Registry:

Navigate to Start | Run and paste the following:

 

regedit /e c:\registrybackup.reg

 

Now click OK

It won't appear to be doing anything, that's normal.

Your mouse pointer may turn to an hour glass for a minute.

Please continue when it no longer has the hour glass.

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this: reg.gif

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

Next, please find and delete the following files/folders (if present):

 

C:\WINDOWS\SYSTEM32\xlibgfl254.dll <--File

C:\Documents and Settings\Steve\Application Data\ultra/b] <--Folder

C:\winstall.exe/b] <--File

 

We need to do a search for some files. Navigate to:

Start | Search | For Files and Folders.

Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.

Paste this into the Search for files and folders named box:

 

ntoskrnl.dll

 

If you find an example of this file, please remove it.

 

Reboot into Normal Mode again.

 

Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on Next

Select a target to scan; click on My Computer

The scan will take a while so be patient and let it run.

Once the scan is complete choose the option to Save as Text

Post these results in your next reply.

 

Please post me back the Kaspersky report.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Charles,

 

I had little luck with these procedures:

 

 

I was fine up to this point

 

C:\WINDOWS\SYSTEM32\xlibgfl254.dll <--File

C:\Documents and Settings\Steve\Application Data\ultra/b] <--Folder

C:\winstall.exe/b] <--File

 

 

I found the "C:\WINDOWS\SYSTEM32\xlibgfl254.dll <--File"

 

when I tried to delete it I was denied access, refused to delete.

 

These two files/folders "C:\Documents and Settings\Steve\Application Data\ultra/b] <--Folder

C:\winstall.exe/b] <--File"

 

I got prompted that they were not valid folders

 

 

I only got a beep and no error message when I tried to find "ntoskrnl.dll[/color"

 

I rebooted and did the Kaspersky scan. Scan took three hours and found 5 items, there was no option to save as test. The only option I had was to start a new scan.

 

I did a search for Kaspersky in Files and Folders. Found a couple of files but no text file that showed results of scan (only a text file describing the program).

 

 

Steve

 

 

 

 

 

 

 

 

Hey Steve,

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

 

Please reboot your computer into Safe Mode.

This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.

Then select Safe Mode from the list.

 

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

 

Backup the Registry:

Navigate to Start | Run and paste the following:

 

regedit /e c:\registrybackup.reg

 

Now click OK

It won't appear to be doing anything, that's normal.

Your mouse pointer may turn to an hour glass for a minute.

Please continue when it no longer has the hour glass.

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this: reg.gif

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

Next, please find and delete the following files/folders (if present):

 

C:\WINDOWS\SYSTEM32\xlibgfl254.dll <--File

C:\Documents and Settings\Steve\Application Data\ultra/b] <--Folder

C:\winstall.exe/b] <--File

 

We need to do a search for some files. Navigate to:

Start | Search | For Files and Folders.

Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.

Paste this into the Search for files and folders named box:

 

ntoskrnl.dll

 

If you find an example of this file, please remove it.

 

Reboot into Normal Mode again.

 

Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on Next

Select a target to scan; click on My Computer

The scan will take a while so be patient and let it run.

Once the scan is complete choose the option to Save as Text

Post these results in your next reply.

 

Please post me back the Kaspersky report.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Hey there, sorry about the delay..

Download KillBox from the following link :

http://www.bleepingcomputer.com/files/killbox.php

Unzip the folder to your Desktop.

 

Start Killbox.exe

Select the "Delete on Reboot" option.

Click on the "All Files" button,which will then flash green.

Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

 

C:\WINDOWS\SYSTEM32\xlibgfl254.dll

 

Open 'File' in the menu on top and choose Paste from clipboard

You must use the File menu--pasting by right-clicking the mouse will only enter one file.

Then press the button that looks like a red circle with a white X in it.

Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click Yes.

Click OK at any Pending File Rename Operations prompt, let me know if they appear.

If you don't get that message, reboot manually.

Your computer should reboot now.

 

Please run Panda's ActiveScan instead, since you seem to be having a few problems with Kaspersky.

Once you are on the Panda site click the Scan your PC button

A new window will open, click the Check Now button.

Enter your personal details.

Click the big Scan Now button.

It will ask to install various content - please allow this.

It will start downloading the files it requires for the scan, which may take a while.

When download is complete, click on Local Disks to start the scan.

When the scan completes, click the See Report button.

Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

 

Please post me back the Panda report and let me know how things are running.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Charles,

 

Again, good news and bad news. Pending File Rename Operations prompt did not appear but computer rebooted automatically anyway.

 

Everything worked fine until clicking on Local Disks on Panda. All I get is an "error on page message" on the lower left hand side of the window. I did this twice.

 

Steve

 

 

 

 

Hey there, sorry about the delay..

Download KillBox from the following link :

http://www.bleepingcomputer.com/files/killbox.php

Unzip the folder to your Desktop.

 

Start Killbox.exe

Select the "Delete on Reboot" option.

Click on the "All Files" button,which will then flash green.

Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

 

C:\WINDOWS\SYSTEM32\xlibgfl254.dll

 

Open 'File' in the menu on top and choose Paste from clipboard

You must use the File menu--pasting by right-clicking the mouse will only enter one file.

Then press the button that looks like a red circle with a white X in it.

Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click Yes.

Click OK at any Pending File Rename Operations prompt, let me know if they appear.

If you don't get that message, reboot manually.

Your computer should reboot now.

 

Please run Panda's ActiveScan instead, since you seem to be having a few problems with Kaspersky.

Once you are on the Panda site click the Scan your PC button

A new window will open, click the Check Now button.

Enter your personal details.

Click the big Scan Now button.

It will ask to install various content - please allow this.

It will start downloading the files it requires for the scan, which may take a while.

When download is complete, click on Local Disks to start the scan.

When the scan completes, click the See Report button.

Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

 

Please post me back the Panda report and let me know how things are running.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Hey Steve,

We'll try another scanner instead of Panda:

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction here for installation.

Accept the License Agreement.

Once the ActiveX installs,Click Full System Scan

Once the download completes, the scan will begin automatically.

The scan will take some time to finish, so please be patient.

When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply.

 

Please post me back that log, also telling me how things are running.

Thanks,

Charles

Share this post


Link to post
Share on other sites

Charles,

 

F-Secure Scan

 

Scanning Report

Sunday, February 18, 2007 19:18:29 - 23:19:09

Computer name: BOSH

Scanning type: Scan system for viruses, rootkits, spyware

Target: C:\

 

 

--------------------------------------------------------------------------------

 

Result: 3 malware found

Tracking Cookie (spyware)

System (Disinfected)

System

System (Submitted)

 

--------------------------------------------------------------------------------

 

Statistics

Scanned:

Files: 31411

System: 3927

Not scanned: 5

Actions:

Disinfected: 1

Renamed: 0

Deleted: 0

None: 2

Submitted: 1

Files not scanned:

C:\HIBERFIL.SYS

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{739A91A0-9313-46E3-B0F7-7400DC8CB1D7}.BIN

C:\!KILLBOX\XLIBGFL254.DLL

 

--------------------------------------------------------------------------------

 

Options

Scanning engines:

F-Secure Libra: 2.4.2, 2007-02-14

F-Secure AVP: 7.0.171, 2007-02-18

F-Secure Orion: 1.2.37, 2007-02-19

F-Secure Blacklight: 1.0.53, 0000-00-00

F-Secure Draco: 1.0.35, 0260-02-44

F-Secure Pegasus: 1.19.0, 2007-01-12

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX

Use Advanced heuristics

 

--------------------------------------------------------------------------------

 

Copyright © 1998-2006 Product support |Send virus sample to F-Secure

F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

 

 

 

 

Lingering problem. My computer has three users: Steve; Sally; Guest. Although I have recovered the use of my desktop background (Steve) and Guest, Sally's desktop background is still stuck on none and no ability to override.

 

I cannot determine if the computer is running slowly.

 

 

Steve

 

 

 

 

 

Hey Steve,

We'll try another scanner instead of Panda:

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction here for installation.

Accept the License Agreement.

Once the ActiveX installs,Click Full System Scan

Once the download completes, the scan will begin automatically.

The scan will take some time to finish, so please be patient.

When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply.

 

Please post me back that log, also telling me how things are running.

Thanks,

Charles

Share this post


Link to post
Share on other sites
Sign in to follow this