Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. There is a list here: http://en.community.dell.com/forums/p/19241146/19367569.aspx#19367569
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.
* During the course of our cleanup please do not do any online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.
I look forward to your reply so we can begin cleaning.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HijackThis log at the top of this board to start a new forum topic.
Thank you sooo much for following up with my post so quickly. I really appreciate it. This thing has been driving me bonkers!
To answer your questions:
* No, I have not posted my issue in another forum.
* As far as i know i have not disabled my system restore. However, i did try to system restore since i recognized i had a virus and it wouldnt let me restore past 12/30 at around 12PM if i'm not mistaken. I tried this about two times so i'm pretty sure it won't work until these issues are resolved.
* According to the wiki definition I am using cracked software. In that case i will be deleting my Ad-Ware 2007 and the AVG 8.0. until you post a reply i'll remain off the internet so that i don't get flooded with additional problems.
* I dont use any of the P2P programs to download my music so I should be okay in that area.
* This computer belongs to me and I am the computer's administrator.
* I have not completed any fixes from HijackThis because I read that I wasn't supposed to do that.
I hereby promise I'll follow your directions here on out. HaHa. I just want this all gone! If there is anything else I need to do or questions you have, please let me know and I'd be more than willing.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates,
manually download them fromhere and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report along with a fresh HijackThis log into your next reply and exit MBAM.
Note:-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.
Memory Processes Infected: (No malicious items detected)
Memory Modules Infected: C:\WINDOWS\system32\rbwwmu.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f192d8a3-a695-44e5-aa41-c7affe491f7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f192d8a3-a695-44e5-aa41-c7affe491f7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77544476-27f8-41d0-b518-6b53b51fef4e} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{77544476-27f8-41d0-b518-6b53b51fef4e} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f192d8a3-a695-44e5-aa41-c7affe491f7b} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14e719f8 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaviwigide (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected: (No malicious items detected)
Folders Infected: (No malicious items detected)
Files Infected: C:\WINDOWS\system32\rbwwmu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Documents and Settings\Krystal Hope\Local Settings\Temporary Internet Files\Content.IE5\6SAD83NK\style[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
And this is the HijackThis Log after I ran MBAM:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:54:55 PM, on 12/31/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal
A small box will open, with an explanation about the tool.
Click Yes at the prompt for Optional Scan.
When done, DDS will open two (2) logs
1. DDS.txt 2. Attach.txt
Save both reports to your desktop.
Copy/paste both logs to your reply on the forum.
Close the program window, and delete the program from your desktop.
We will have more cleaning to do.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
Let me know if you are still seeing any symptoms of infection.
Sophos is the one that i use currently. i uninstalled the AVG from control panal, i'm not sure why it's showing up. As far as I know the pop ups haven't showed up since i've performed the fixes you've suggested. hopefully this is a good sign.
The Logs are as follows:
DDS (Version 1.1.0) - NTFSx86 Run by Krystal Hope at 1:05:34.43 on Thu 01/01/2009 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.429 [GMT -5:00]
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Version 1.0)
Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 1/26/2007 2:35:41 PM System Uptime: 12/31/2008 9:44:17 PM (4 hours ago)
Motherboard: Dell Inc. | | Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz | Microprocessor | 1994/166mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 106 GiB total, 15.717 GiB free. D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\4D3161424FC000 Manufacturer: Microsoft Name: 1394 Net Adapter PNP Device ID: V1394\NIC1394\4D3161424FC000 Service: NIC1394
==== System Restore Points ===================
RP631: 12/29/2008 11:56:45 AM - System Checkpoint RP632: 12/29/2008 11:56:46 AM - System Checkpoint RP633: 12/29/2008 11:56:46 AM - System Checkpoint RP634: 12/29/2008 11:56:46 AM - System Checkpoint RP635: 12/29/2008 11:56:46 AM - System Checkpoint RP636: 12/29/2008 11:56:47 AM - System Checkpoint RP637: 12/29/2008 11:56:47 AM - System Checkpoint RP638: 12/29/2008 11:56:47 AM - System Checkpoint RP639: 12/29/2008 11:56:47 AM - System Checkpoint RP640: 12/29/2008 11:56:48 AM - System Checkpoint RP641: 12/29/2008 11:56:48 AM - System Checkpoint RP642: 12/29/2008 11:56:49 AM - System Checkpoint RP643: 12/29/2008 11:56:49 AM - Software Distribution Service 3.0 RP644: 12/29/2008 11:56:50 AM - System Checkpoint RP645: 12/29/2008 11:56:50 AM - System Checkpoint RP646: 12/29/2008 11:56:50 AM - System Checkpoint RP647: 12/29/2008 11:56:50 AM - System Checkpoint RP648: 12/29/2008 11:56:51 AM - System Checkpoint RP649: 12/29/2008 11:56:51 AM - System Checkpoint RP650: 12/29/2008 11:56:52 AM - System Checkpoint RP651: 12/29/2008 11:56:53 AM - Software Distribution Service 3.0 RP652: 12/29/2008 11:56:53 AM - System Checkpoint RP653: 12/29/2008 11:56:54 AM - System Checkpoint RP654: 12/29/2008 11:56:54 AM - System Checkpoint RP655: 12/29/2008 11:56:55 AM - System Checkpoint RP656: 12/29/2008 11:56:55 AM - System Checkpoint RP657: 12/29/2008 11:56:56 AM - System Checkpoint RP658: 12/29/2008 11:56:56 AM - System Checkpoint RP659: 12/29/2008 11:56:57 AM - System Checkpoint RP660: 12/29/2008 11:56:57 AM - System Checkpoint RP661: 12/29/2008 11:56:57 AM - System Checkpoint RP662: 12/29/2008 11:56:58 AM - System Checkpoint RP663: 12/29/2008 11:56:58 AM - System Checkpoint RP664: 12/29/2008 11:56:58 AM - System Checkpoint RP665: 12/29/2008 11:56:59 AM - System Checkpoint RP666: 12/29/2008 11:56:59 AM - System Checkpoint RP667: 12/29/2008 11:57:00 AM - System Checkpoint RP668: 12/29/2008 11:57:00 AM - System Checkpoint RP669: 12/29/2008 11:57:01 AM - System Checkpoint RP670: 12/29/2008 11:57:01 AM - Software Distribution Service 3.0 RP671: 12/29/2008 11:57:02 AM - Software Distribution Service 3.0 RP672: 12/29/2008 11:57:03 AM - System Checkpoint RP673: 12/29/2008 11:57:03 AM - System Checkpoint RP674: 12/29/2008 11:57:03 AM - System Checkpoint RP675: 12/29/2008 11:57:04 AM - System Checkpoint RP676: 12/29/2008 11:57:04 AM - System Checkpoint RP677: 12/29/2008 11:57:05 AM - System Checkpoint RP678: 12/29/2008 11:57:05 AM - System Checkpoint RP679: 12/29/2008 11:57:06 AM - System Checkpoint RP680: 12/29/2008 11:57:07 AM - System Checkpoint RP681: 12/29/2008 11:57:07 AM - System Checkpoint RP682: 12/29/2008 11:57:08 AM - System Checkpoint RP683: 12/29/2008 11:57:08 AM - System Checkpoint RP684: 12/29/2008 11:57:08 AM - Installed HP Product Assistant RP685: 12/29/2008 11:57:09 AM - System Checkpoint RP686: 12/29/2008 11:57:09 AM - System Checkpoint RP687: 12/29/2008 11:57:10 AM - System Checkpoint RP688: 12/29/2008 11:57:10 AM - System Checkpoint RP689: 12/29/2008 11:57:10 AM - System Checkpoint RP690: 12/29/2008 11:57:11 AM - System Checkpoint RP691: 12/29/2008 11:57:11 AM - System Checkpoint RP692: 12/29/2008 11:57:12 AM - System Checkpoint RP693: 12/29/2008 11:57:12 AM - Software Distribution Service 3.0 RP694: 12/29/2008 11:57:13 AM - System Checkpoint RP695: 12/29/2008 11:57:13 AM - System Checkpoint RP696: 12/29/2008 11:57:14 AM - System Checkpoint RP697: 12/29/2008 11:57:15 AM - System Checkpoint RP698: 12/29/2008 11:57:15 AM - System Checkpoint RP699: 12/29/2008 11:57:16 AM - System Checkpoint RP700: 12/29/2008 11:57:16 AM - System Checkpoint RP701: 12/29/2008 11:57:16 AM - Software Distribution Service 3.0 RP702: 12/29/2008 11:57:16 AM - System Checkpoint RP703: 12/29/2008 11:57:17 AM - Removed Google Earth. RP704: 12/29/2008 11:57:17 AM - Removed Comic Life RP705: 12/29/2008 11:57:18 AM - System Checkpoint RP706: 12/29/2008 11:57:18 AM - System Checkpoint RP707: 12/29/2008 11:57:18 AM - System Checkpoint RP708: 12/29/2008 11:57:19 AM - System Checkpoint RP709: 12/29/2008 11:57:19 AM - Installed BlackBerry Desktop Software 4.7. RP710: 12/29/2008 11:57:19 AM - Removed BlackBerry Desktop Software 4.7. RP711: 12/29/2008 11:57:20 AM - Installed BlackBerry Desktop Software 4.7. RP712: 12/29/2008 11:57:20 AM - Installed BlackBerry Desktop Software 4.7. RP713: 12/29/2008 11:57:20 AM - Removed BlackBerry Desktop Software 4.7. RP714: 12/29/2008 11:57:21 AM - System Checkpoint RP715: 12/29/2008 11:57:21 AM - System Checkpoint RP716: 12/29/2008 11:57:36 AM - Last known good configuration RP717: 12/30/2008 11:05:30 AM - Installed Java(TM) 6 Update 7 RP718: 12/30/2008 3:37:40 PM - Restore Operation RP719: 12/30/2008 4:03:03 PM - Restore Operation RP720: 12/30/2008 4:44:48 PM - Installed AVG 8.0 RP721: 12/30/2008 4:54:11 PM - Avg8 Update RP722: 12/30/2008 5:39:04 PM - Avg8 Update RP723: 12/31/2008 6:12:13 PM - System Checkpoint RP724: 12/31/2008 7:47:00 PM - Removed AVG 8.0 RP725: 12/31/2008 7:49:47 PM - Removed Ad-Aware 2007 RP726: 12/31/2008 7:50:48 PM - Installed AVG 8.0
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX Adobe Flash Player Plugin Adobe Reader 8.1.1 Adobe Shockwave Player AIM 6 Andrea VoiceCenter AOLIcon Apple Mobile Device Support Apple Software Update ATI Catalyst Control Center ATI Display Driver AviSynth 2.5 Banctec Service Agreement BitPim 1.0.6 BlackBerry Desktop Software 4.7 BlackBerry® Media Sync Bonjour Broadcom Management Programs BufferChm CATPRO Client Security Agent Comcast High-Speed Internet Install Wizard Compatibility Pack for the 2007 Office system Conexant HDA D110 MDC V.92 Modem Corel Snapfire Plus Creative Audio Pack Creative MediaSource 5 CustomerResearchQFolder D1400 D1400_Help Dell Driver Reset Tool Dell Support 3.2.1 Dell Support Center (Support Software) Dell System Restore Dell Wireless WLAN Card DellConnect Desktop Doctor DeviceManagementQFolder Digimax Converter Digimax Master Digital Content Portal Digital Line Detect dj_sf_ProductContext dj_sf_software dj_sf_software_req Documentation & Support Launcher Drive Manager Drivers Install For Linksys Easylink Advisor EarthLink Setup Files eSupportQFolder FLV Player 1.3.3 Games, Music, & Photos Launcher GOM Player Google Toolbar for Internet Explorer Google Updater GoToAssist 8.0.0.514 High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB952287) HP Customer Participation Program 8.0 HP Deskjet 8.0 Software HP Imaging Device Functions 8.0 HP Photosmart Essential HP Product Assistant HP Solution Center 8.0 HP Update HPProductAssistant HPSSupply Internet Service Offers Launcher iTunes J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 Java(TM) SE Runtime Environment 6 Update 1 Learn2 Player (Uninstall Only) LG USB Drivers LG USB Modem driver Linksys EasyLink Advisor 1.6 (0044) LiveUpdate 3.0 (Symantec Corporation) Malwarebytes' Anti-Malware MarketResearch MediaDirect Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft Color Control Panel Applet for Windows XP Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Converter Pack Microsoft Office Outlook 2003 with Business Contact Manager Update Microsoft Office Small Business Edition 2003 Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft XML Parser MobileMe Control Panel Modem Helper Move Networks Media Player for Internet Explorer Mozilla Firefox (3.0.5) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB933579) Netflix Movie Viewer NetWaiting NetZeroInstallers OPSWAT AntiVirus and Firewall Integration Libraries OutlookAddinSetup Portfolio Browser QuickSet QuickTime RealPlayer Roxio DLA Roxio MyDVD LE Roxio RecordNow Audio Roxio RecordNow Copy Roxio RecordNow Data Safari Samsung USB Driver SearchAssist Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) SolutionCenter Sonic Update Manager Sophos Anti-Virus Sophos AutoUpdate Sound Blaster ADVANCED MB Drivers Sound Blaster Audigy ADVANCED MB Sound Blaster Audigy ADVANCED MB Product Registration Spelling Dictionaries Support For Adobe Reader 8 Status Survey Machine - Cut 2 Symantec KB-DocID:2003093015493306 Synaptics Pointing Device Driver TBS WMP Plug-in The Sims™ 2 Deluxe The Weather Channel Desktop 6 TomTom HOME 2.5.1.36 Toolbox TrayApp UnloadSupport Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) URGE URL Assistant VC_MergeModuleToMSI WebFldrs XP WebReg WIDCOMM Bluetooth Software WildTangent Web Driver Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Installer 3.1 (KB893803) Windows Installer Clean Up Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver Yahoo! Browser Services Yahoo! Install Manager Yahoo! Internet Mail Yahoo! Messenger
==== Event Viewer Messages From Past Week ========
12/26/2008 3:24:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl 12/26/2008 3:24:14 PM, error: Service Control Manager [7022] - The CATPRO Service service hung on starting. 12/26/2008 4:47:06 PM, error: WPDMTPDriver [15302] - MTP USB Driver has detected that the device has failed to communicate its status when processing operation 0x1005. 12/27/2008 1:20:58 PM, error: SAVOnAccessFilter [63] - Failed to obtain volume information from mount manager. 12/29/2008 12:30:02 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 12/29/2008 11:32:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect. 12/29/2008 11:32:07 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 12/29/2008 11:33:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WMI Performance Adapter service to connect. 12/29/2008 11:33:31 PM, error: Service Control Manager [7000] - The WMI Performance Adapter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 12/30/2008 3:31:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 12/30/2008 3:31:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVOnAccessControl SAVOnAccessFilter Tcpip 12/30/2008 3:31:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 12/31/2008 9:44:51 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:26:04 PM, on 1/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal
Close all other windows and click "Fix Checked". Close Hijackthis.
Reboot into Safemode: Turn on the computer. Immediately begin tapping the F8 key. Use the arrow keys to highlight Safe Mode and press the Enter key.
Configure to show all files/folders: Go to Start>Search and at the top select Tools>Folder Options Select the View tab Display the contents of system folders Show hidden files and folders Uncheck: Hide protected operating system files Click on Apply. Next go to the side of the Search box and select All files and folders. Go down to More advanced options. Be sure the first three boxes are selected: Search System folders Search Hidden Files and folders Search SubFolders
Delete this file if it still exists:
C:\WINDOWS\system32\jodenosi.dll
Rehide files.
Start>Search and at the top select Tools>Folder Options Select the View tab Display the contents of system folders Show hidden files and folders Check: Hide protected operating system files Click on Apply.
Run Disk Cleanup in each user's profile: Click "Start > Programs > Accessories > System Tools > Disk Cleanup" Please make sure only the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.
Unzip the download. This will create a new Folder, JavaRa on your Desktop.
Double click this new Folder to open it, and double click the file within: JavaRa to execute the program.
Click the button: Remove Older Versions.
Agree to the cleanup operation by clicking Yes. After a moment, a notice will appear that a log file has been produced. Click OK. Close the Notepad view that opens.
Select Windows Offline Installation > SAVE it to your desktop, do not RUN it yet.
When the download is complete, close all browser windows and double-click on the saved file to install the update. Be patient: It may take five (5) minutes or more for the installation to complete.
If the installation gives you the option to install a toolbar UNCHECK the option if you don't want it .
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
That should have you in good shape.
If everything is still running well....
To flush the XP System Restore Points: (Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.
Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.
The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:
1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS. Microsoft's widows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.
6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
7. Practice Safe Surfing with with TrendProtect by Trend Micro. This is not compatible with Firefox 3.0 yet. TrendProtect is a browser plugin that assigns a safety rating to domains listed in your search engine. TrendProtect also adds a new button to your browser's toolbar area. The icon and color of the button changes to indicate whether the page currently open is safe, unsafe, trusted, or unrated, or whether it contains unwanted content. The following color codes are used by TrendProtect to indicate the safety of each site.
Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown
For Firefox, you can use Web Of Trust. It uses colored alerts to warn about risky websites that try to scam visitors, deliver malware, or send spam.
8. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html It will: Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox. Restrict the actions of potentially unwanted sites in Internet Explorer. Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html Periodically check for updates
After I followed all your instructions i ran one more HijackThis. Have I removed everything? Does it look like i completed the instructions correctly? This is the log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:46:16 PM, on 1/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal
Actually, i ran reactivated sophos and ran it once more to make sure that my system was clean. However, Adware/ PUA Killg OM Process Killer (of type hacking tool)detected shows up in the scan history.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 31st, 2008 08:00
Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. Definition of cracked software: http://en.wikipedia.org/wiki/Software_cracking
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. There is a list here: http://en.community.dell.com/forums/p/19241146/19367569.aspx#19367569
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.
* During the course of our cleanup please do not do any online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.
I look forward to your reply so we can begin cleaning.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HijackThis log at the top of this board to start a new forum topic.
hopeka06
8 Posts
0
December 31st, 2008 16:00
Hi,
Thank you sooo much for following up with my post so quickly. I really appreciate it. This thing has been driving me bonkers!
To answer your questions:
* No, I have not posted my issue in another forum.
* As far as i know i have not disabled my system restore. However, i did try to system restore since i recognized i had a virus and it wouldnt let me restore past 12/30 at around 12PM if i'm not mistaken. I tried this about two times so i'm pretty sure it won't work until these issues are resolved.
* According to the wiki definition I am using cracked software. In that case i will be deleting my Ad-Ware 2007 and the AVG 8.0. until you post a reply i'll remain off the internet so that i don't get flooded with additional problems.
* I dont use any of the P2P programs to download my music so I should be okay in that area.
* This computer belongs to me and I am the computer's administrator.
* I have not completed any fixes from HijackThis because I read that I wasn't supposed to do that.
I hereby promise I'll follow your directions here on out. HaHa. I just want this all gone! If there is anything else I need to do or questions you have, please let me know and I'd be more than willing.
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 31st, 2008 17:00
alternate download link 1
alternate download link 2
MBAM will automatically start and you will be asked to update the program before performing a scan.
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
Back at the main Scanner screen:
Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.
hopeka06
8 Posts
0
December 31st, 2008 18:00
BTW thank you for all your fast replies. I really appreciate your time!
hopeka06
8 Posts
0
December 31st, 2008 18:00
Hi Again BugBatter,
The MBAM installation went well. I did have to reboot. This is the log that it produced:
Malwarebytes' Anti-Malware 1.31
Database version: 1587
Windows 5.1.2600 Service Pack 3
12/31/2008 9:42:18 PM
mbam-log-2008-12-31 (21-42-18).txt
Scan type: Quick Scan
Objects scanned: 76322
Time elapsed: 12 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\rbwwmu.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f192d8a3-a695-44e5-aa41-c7affe491f7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f192d8a3-a695-44e5-aa41-c7affe491f7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77544476-27f8-41d0-b518-6b53b51fef4e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77544476-27f8-41d0-b518-6b53b51fef4e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f192d8a3-a695-44e5-aa41-c7affe491f7b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14e719f8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaviwigide (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\rbwwmu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Krystal Hope\Local Settings\Temporary Internet Files\Content.IE5\6SAD83NK\style[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
And this is the HijackThis Log after I ran MBAM:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:55 PM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cp\catserv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\cp\cattray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\KRYSTA~1\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Krystal Hope\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070121
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070121
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {C5357968-DBA5-4FD0-BFBB-D23929C29028} - C:\WINDOWS\system32\ssqPHbAQ.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector U] "C:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [DW6] "C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://firepass.juniata.edu
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://firepass.juniata.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://firepass.juniata.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://firepass.juniata.edu/vdesk/terminal/InstallerControl.cab#version=6020,2008,0821,2213
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://firepass.juniata.edu/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,0904,1939
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://firepass.juniata.edu/vdesk/terminal/urTermProxy.cab#version=6020,2008,0821,2202
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://firepass.juniata.edu/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://www.google.com/CAT/CNICAT.cab
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://kronos.juniata.edu/WFC/plugins/jre-1_5_0_09-windows-i586-p.exe
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://firepass.juniata.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://firepass.juniata.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL,rbwwmu.dll,C:\WINDOWS\system32\jodenosi.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: hgGxWqqo - hgGxWqqo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Client Security Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 17504 bytes
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 31st, 2008 19:00
I see AVG and Sophos on there. Which one are you using for your anti-virus?
We need to see some additional information about what is happening in your machine.
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
Let me know if you are still seeing any symptoms of infection.
hopeka06
8 Posts
0
December 31st, 2008 22:00
Sophos is the one that i use currently. i uninstalled the AVG from control panal, i'm not sure why it's showing up. As far as I know the pop ups haven't showed up since i've performed the fixes you've suggested. hopefully this is a good sign.
The Logs are as follows:
DDS (Version 1.1.0) - NTFSx86
Run by Krystal Hope at 1:05:34.43 on Thu 01/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.429 [GMT -5:00]
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cp\catserv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\cp\cattray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\KRYSTA~1\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Krystal Hope\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070121
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {c5357968-dba5-4fd0-bfbb-d23929c29028} - c:\windows\system32\ssqPHbAQ.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector U] "c:\program files\creative\mediasource5\CTDetctu.exe" /R
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [DW6] "c:\progra~1\thewea~1\desktop\DesktopWeather.exe"
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [CATTRAY] c:\program files\cp\cattray.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [ ]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: juniata.edu\firepass
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: hgGxWqqo - hgGxWqqo.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\sophos\sophos~1\sophos~1.dll,rbwwmu.dll,c:\windows\system32\jodenosi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqPHbAQ
LSA: Notification Packages = scecli c:\windows\system32\jodenosi.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\krysta~1\applic~1\mozilla\firefox\profiles\3f1ko20u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\documents and settings\krystal hope\application data\mozilla\firefox\profiles\3f1ko20u.default\extensions\{dbbb3167-6e81-400f-bbfd-bd8921726f52}\plugins\NPuroamHost.dll
FF - plugin: c:\documents and settings\krystal hope\application data\mozilla\firefox\profiles\3f1ko20u.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPuroamHost.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
============= SERVICES / DRIVERS ===============
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-5-5 104704]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-5-5 35584]
R2 BNPagent;Client Security Agent Service;"c:\program files\bradford networks\client security agent\bndaemon.exe" [2008-2-23 2645384]
R2 catservice;CATPRO Service;c:\program files\cp\catserv.exe /startedbyscm:58859EE1-40E2E001-catservice [2007-8-8 4236464]
R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\sophos\sophos anti-virus\SAVAdminService.exe" [2008-9-22 69632]
R2 SAVService;Sophos Anti-Virus;"c:\program files\sophos\sophos anti-virus\SavService.exe" [2008-8-21 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;"c:\program files\sophos\autoupdate\ALsvc.exe" [2008-4-4 172032]
R2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2007-1-22 1174152]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2008-9-4 33400]
S3 f5ipfw;F5 Networks StoneWall Filter;\??\c:\windows\system32\drivers\urfltw2k.sys [2008-11-10 10744]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]
=============== Created Last 30 ================
2008-12-31 21:10
2008-12-31 21:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 21:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 21:09
2008-12-31 21:09
2008-12-31 00:36
2008-12-30 16:44
2008-12-30 16:44
2008-12-29 12:05 1,307,934 a--sh--- c:\windows\system32\sfjdqyck.ini
2008-12-29 11:56 697,624 a--sh--- c:\windows\system32\QAbHPqss.ini2
2008-12-26 19:10
2008-12-26 16:43 256 a------- c:\windows\system32\pool.bin
2008-12-26 16:43
2008-12-26 15:31
2008-12-26 15:31
2008-12-26 13:41 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
==================== Find3M ====================
2008-12-31 00:09 61,224 ac------ c:\documents and settings\krystal hope\GoToAssistDownloadHelper.exe
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-06-10 13:11 4 -c-shr-- c:\docume~1\alluse~1\applic~1\sysqcl1129139270.dat
2007-12-20 15:25 439,296 ac------ c:\documents and settings\krystal hope\GoToAssist_phone__317_en.exe
2007-03-22 08:56 15,505,200 ac------ c:\program files\IE7-WindowsXP-x86-enu.exe
2008-01-21 01:17 88 ---shr-- c:\windows\system32\95DEC400DE.sys
2007-03-23 10:13 88 -c-shr-- c:\windows\system32\DFC596F97C.sys
2008-01-21 01:17 2,828 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-14 22:31 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081420080815\index.dat
============= FINISH: 1:06:12.59 ===============
AND:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Version 1.0)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/26/2007 2:35:41 PM
System Uptime: 12/31/2008 9:44:17 PM (4 hours ago)
Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz | Microprocessor | 1994/166mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 106 GiB total, 15.717 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4D3161424FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4D3161424FC000
Service: NIC1394
==== System Restore Points ===================
RP631: 12/29/2008 11:56:45 AM - System Checkpoint
RP632: 12/29/2008 11:56:46 AM - System Checkpoint
RP633: 12/29/2008 11:56:46 AM - System Checkpoint
RP634: 12/29/2008 11:56:46 AM - System Checkpoint
RP635: 12/29/2008 11:56:46 AM - System Checkpoint
RP636: 12/29/2008 11:56:47 AM - System Checkpoint
RP637: 12/29/2008 11:56:47 AM - System Checkpoint
RP638: 12/29/2008 11:56:47 AM - System Checkpoint
RP639: 12/29/2008 11:56:47 AM - System Checkpoint
RP640: 12/29/2008 11:56:48 AM - System Checkpoint
RP641: 12/29/2008 11:56:48 AM - System Checkpoint
RP642: 12/29/2008 11:56:49 AM - System Checkpoint
RP643: 12/29/2008 11:56:49 AM - Software Distribution Service 3.0
RP644: 12/29/2008 11:56:50 AM - System Checkpoint
RP645: 12/29/2008 11:56:50 AM - System Checkpoint
RP646: 12/29/2008 11:56:50 AM - System Checkpoint
RP647: 12/29/2008 11:56:50 AM - System Checkpoint
RP648: 12/29/2008 11:56:51 AM - System Checkpoint
RP649: 12/29/2008 11:56:51 AM - System Checkpoint
RP650: 12/29/2008 11:56:52 AM - System Checkpoint
RP651: 12/29/2008 11:56:53 AM - Software Distribution Service 3.0
RP652: 12/29/2008 11:56:53 AM - System Checkpoint
RP653: 12/29/2008 11:56:54 AM - System Checkpoint
RP654: 12/29/2008 11:56:54 AM - System Checkpoint
RP655: 12/29/2008 11:56:55 AM - System Checkpoint
RP656: 12/29/2008 11:56:55 AM - System Checkpoint
RP657: 12/29/2008 11:56:56 AM - System Checkpoint
RP658: 12/29/2008 11:56:56 AM - System Checkpoint
RP659: 12/29/2008 11:56:57 AM - System Checkpoint
RP660: 12/29/2008 11:56:57 AM - System Checkpoint
RP661: 12/29/2008 11:56:57 AM - System Checkpoint
RP662: 12/29/2008 11:56:58 AM - System Checkpoint
RP663: 12/29/2008 11:56:58 AM - System Checkpoint
RP664: 12/29/2008 11:56:58 AM - System Checkpoint
RP665: 12/29/2008 11:56:59 AM - System Checkpoint
RP666: 12/29/2008 11:56:59 AM - System Checkpoint
RP667: 12/29/2008 11:57:00 AM - System Checkpoint
RP668: 12/29/2008 11:57:00 AM - System Checkpoint
RP669: 12/29/2008 11:57:01 AM - System Checkpoint
RP670: 12/29/2008 11:57:01 AM - Software Distribution Service 3.0
RP671: 12/29/2008 11:57:02 AM - Software Distribution Service 3.0
RP672: 12/29/2008 11:57:03 AM - System Checkpoint
RP673: 12/29/2008 11:57:03 AM - System Checkpoint
RP674: 12/29/2008 11:57:03 AM - System Checkpoint
RP675: 12/29/2008 11:57:04 AM - System Checkpoint
RP676: 12/29/2008 11:57:04 AM - System Checkpoint
RP677: 12/29/2008 11:57:05 AM - System Checkpoint
RP678: 12/29/2008 11:57:05 AM - System Checkpoint
RP679: 12/29/2008 11:57:06 AM - System Checkpoint
RP680: 12/29/2008 11:57:07 AM - System Checkpoint
RP681: 12/29/2008 11:57:07 AM - System Checkpoint
RP682: 12/29/2008 11:57:08 AM - System Checkpoint
RP683: 12/29/2008 11:57:08 AM - System Checkpoint
RP684: 12/29/2008 11:57:08 AM - Installed HP Product Assistant
RP685: 12/29/2008 11:57:09 AM - System Checkpoint
RP686: 12/29/2008 11:57:09 AM - System Checkpoint
RP687: 12/29/2008 11:57:10 AM - System Checkpoint
RP688: 12/29/2008 11:57:10 AM - System Checkpoint
RP689: 12/29/2008 11:57:10 AM - System Checkpoint
RP690: 12/29/2008 11:57:11 AM - System Checkpoint
RP691: 12/29/2008 11:57:11 AM - System Checkpoint
RP692: 12/29/2008 11:57:12 AM - System Checkpoint
RP693: 12/29/2008 11:57:12 AM - Software Distribution Service 3.0
RP694: 12/29/2008 11:57:13 AM - System Checkpoint
RP695: 12/29/2008 11:57:13 AM - System Checkpoint
RP696: 12/29/2008 11:57:14 AM - System Checkpoint
RP697: 12/29/2008 11:57:15 AM - System Checkpoint
RP698: 12/29/2008 11:57:15 AM - System Checkpoint
RP699: 12/29/2008 11:57:16 AM - System Checkpoint
RP700: 12/29/2008 11:57:16 AM - System Checkpoint
RP701: 12/29/2008 11:57:16 AM - Software Distribution Service 3.0
RP702: 12/29/2008 11:57:16 AM - System Checkpoint
RP703: 12/29/2008 11:57:17 AM - Removed Google Earth.
RP704: 12/29/2008 11:57:17 AM - Removed Comic Life
RP705: 12/29/2008 11:57:18 AM - System Checkpoint
RP706: 12/29/2008 11:57:18 AM - System Checkpoint
RP707: 12/29/2008 11:57:18 AM - System Checkpoint
RP708: 12/29/2008 11:57:19 AM - System Checkpoint
RP709: 12/29/2008 11:57:19 AM - Installed BlackBerry Desktop Software 4.7.
RP710: 12/29/2008 11:57:19 AM - Removed BlackBerry Desktop Software 4.7.
RP711: 12/29/2008 11:57:20 AM - Installed BlackBerry Desktop Software 4.7.
RP712: 12/29/2008 11:57:20 AM - Installed BlackBerry Desktop Software 4.7.
RP713: 12/29/2008 11:57:20 AM - Removed BlackBerry Desktop Software 4.7.
RP714: 12/29/2008 11:57:21 AM - System Checkpoint
RP715: 12/29/2008 11:57:21 AM - System Checkpoint
RP716: 12/29/2008 11:57:36 AM - Last known good configuration
RP717: 12/30/2008 11:05:30 AM - Installed Java(TM) 6 Update 7
RP718: 12/30/2008 3:37:40 PM - Restore Operation
RP719: 12/30/2008 4:03:03 PM - Restore Operation
RP720: 12/30/2008 4:44:48 PM - Installed AVG 8.0
RP721: 12/30/2008 4:54:11 PM - Avg8 Update
RP722: 12/30/2008 5:39:04 PM - Avg8 Update
RP723: 12/31/2008 6:12:13 PM - System Checkpoint
RP724: 12/31/2008 7:47:00 PM - Removed AVG 8.0
RP725: 12/31/2008 7:49:47 PM - Removed Ad-Aware 2007
RP726: 12/31/2008 7:50:48 PM - Installed AVG 8.0
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
AIM 6
Andrea VoiceCenter
AOLIcon
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
AviSynth 2.5
Banctec Service Agreement
BitPim 1.0.6
BlackBerry Desktop Software 4.7
BlackBerry® Media Sync
Bonjour
Broadcom Management Programs
BufferChm
CATPRO
Client Security Agent
Comcast High-Speed Internet Install Wizard
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Corel Snapfire Plus
Creative Audio Pack
Creative MediaSource 5
CustomerResearchQFolder
D1400
D1400_Help
Dell Driver Reset Tool
Dell Support 3.2.1
Dell Support Center (Support Software)
Dell System Restore
Dell Wireless WLAN Card
DellConnect
Desktop Doctor
DeviceManagementQFolder
Digimax Converter
Digimax Master
Digital Content Portal
Digital Line Detect
dj_sf_ProductContext
dj_sf_software
dj_sf_software_req
Documentation & Support Launcher
Drive Manager
Drivers Install For Linksys Easylink Advisor
EarthLink Setup Files
eSupportQFolder
FLV Player 1.3.3
Games, Music, & Photos Launcher
GOM Player
Google Toolbar for Internet Explorer
Google Updater
GoToAssist 8.0.0.514
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 8.0
HP Deskjet 8.0 Software
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Product Assistant
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
LG USB Drivers
LG USB Modem driver
Linksys EasyLink Advisor 1.6 (0044)
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Color Control Panel Applet for Windows XP
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Converter Pack
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MobileMe Control Panel
Modem Helper
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Netflix Movie Viewer
NetWaiting
NetZeroInstallers
OPSWAT AntiVirus and Firewall Integration Libraries
OutlookAddinSetup
Portfolio Browser
QuickSet
QuickTime
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Samsung USB Driver
SearchAssist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SolutionCenter
Sonic Update Manager
Sophos Anti-Virus
Sophos AutoUpdate
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spelling Dictionaries Support For Adobe Reader 8
Status
Survey Machine - Cut 2
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
TBS WMP Plug-in
The Sims™ 2 Deluxe
The Weather Channel Desktop 6
TomTom HOME 2.5.1.36
Toolbox
TrayApp
UnloadSupport
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
URGE
URL Assistant
VC_MergeModuleToMSI
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
==== Event Viewer Messages From Past Week ========
12/26/2008 3:24:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl
12/26/2008 3:24:14 PM, error: Service Control Manager [7022] - The CATPRO Service service hung on starting.
12/26/2008 4:47:06 PM, error: WPDMTPDriver [15302] - MTP USB Driver has detected that the device has failed to communicate its status when processing operation 0x1005.
12/27/2008 1:20:58 PM, error: SAVOnAccessFilter [63] - Failed to obtain volume information from mount manager.
12/29/2008 12:30:02 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/29/2008 11:32:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
12/29/2008 11:32:07 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/29/2008 11:33:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WMI Performance Adapter service to connect.
12/29/2008 11:33:31 PM, error: Service Control Manager [7000] - The WMI Performance Adapter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/30/2008 3:31:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/30/2008 3:31:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/30/2008 3:31:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVOnAccessControl SAVOnAccessFilter Tcpip
12/30/2008 3:31:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/31/2008 9:44:51 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
==== End Of File ===========================
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 1st, 2009 10:00
If the popups have not shown up, we won't dig deeper. Please post a fresh Hijackthis log so we can fix any remnants and address any vulnerabilities.
hopeka06
8 Posts
0
January 1st, 2009 14:00
Hi again. Happy New Year!
Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:04 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cp\catserv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\KRYSTA~1\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\cp\cattray.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\Krystal Hope\Desktop\virus fixes\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070121
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070121
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {C5357968-DBA5-4FD0-BFBB-D23929C29028} - C:\WINDOWS\system32\ssqPHbAQ.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector U] "C:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [DW6] "C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://firepass.juniata.edu
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://firepass.juniata.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://firepass.juniata.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://firepass.juniata.edu/vdesk/terminal/InstallerControl.cab#version=6020,2008,0821,2213
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://firepass.juniata.edu/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,0904,1939
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://firepass.juniata.edu/vdesk/terminal/urTermProxy.cab#version=6020,2008,0821,2202
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://firepass.juniata.edu/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://www.google.com/CAT/CNICAT.cab
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://kronos.juniata.edu/WFC/plugins/jre-1_5_0_09-windows-i586-p.exe
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://firepass.juniata.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://firepass.juniata.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL,rbwwmu.dll,C:\WINDOWS\system32\jodenosi.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: hgGxWqqo - hgGxWqqo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Client Security Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 17901 bytes
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 1st, 2009 16:00
Please launch HijackThis and place a checkmark next to the following:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {C5357968-DBA5-4FD0-BFBB-D23929C29028} - C:\WINDOWS\system32\ssqPHbAQ.dll (file missing)
O20 - Winlogon Notify: hgGxWqqo - hgGxWqqo.dll (file missing)
This one is optional and open to debate, so it is your choice to fix or not:
Info HERE
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
Close all other windows and click "Fix Checked". Close Hijackthis.
Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
Configure to show all files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
Delete this file if it still exists:
C:\WINDOWS\system32\jodenosi.dll
Rehide files.
Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Check: Hide protected operating system files
Click on Apply.
Run Disk Cleanup in each user's profile: Click "Start > Programs > Accessories > System Tools > Disk Cleanup" Please make sure only the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.
REBOOT.
Download -- to your Desktop -- JavaRa.Zip from either of these two sites:
http://prm753.bchea.org/click/click.php?id=9
http://www.majorgeeks.com/JavaRa_d5967.html
Remove Startup Entry
Remove JavaRa Logfile
That should have you in good shape.
If everything is still running well....
To flush the XP System Restore Points: (Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.
Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.
The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:
1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS. Microsoft's widows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date. Note: Zone Alarm Firewall (by Checkpoint) has a free version http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
3.You might consider installing Mozilla / Firefox.
http://www.mozilla.com/en-US/
4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.
5. Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists. http://www.spywarewarrior.com/rogue_anti-spyware.htm http://www.malwarebytes.org/database.php
6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
7. Practice Safe Surfing with with TrendProtect by Trend Micro. This is not compatible with Firefox 3.0 yet. TrendProtect is a browser plugin that assigns a safety rating to domains listed in your search engine. TrendProtect also adds a new button to your browser's toolbar area. The icon and color of the button changes to indicate whether the page currently open is safe, unsafe, trusted, or unrated, or whether it contains unwanted content. The following color codes are used by TrendProtect to indicate the safety of each site.
For Firefox, you can use Web Of Trust. It uses colored alerts to warn about risky websites that try to scam visitors, deliver malware, or send spam.
8. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates
9. Here are some helpful articles:
"How did I get infected?"
http://www.bleepingcomputer.com/forums/topic2520.html
"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx
hopeka06
8 Posts
0
January 1st, 2009 18:00
Hi,
Thank you again for your help.
After I followed all your instructions i ran one more HijackThis. Have I removed everything? Does it look like i completed the instructions correctly? This is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:16 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cp\catserv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\cp\cattray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\KRYSTA~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavProgress.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Krystal Hope\Desktop\virus fixes\HijackThis.exe
C:\Program Files\AIM6\aolsoftware.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070121
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070121
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector U] "C:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [DW6] "C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://firepass.juniata.edu
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://firepass.juniata.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://firepass.juniata.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://firepass.juniata.edu/vdesk/terminal/InstallerControl.cab#version=6020,2008,0821,2213
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://firepass.juniata.edu/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,0904,1939
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://firepass.juniata.edu/vdesk/terminal/urTermProxy.cab#version=6020,2008,0821,2202
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://firepass.juniata.edu/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://www.google.com/CAT/CNICAT.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://firepass.juniata.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://firepass.juniata.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL,rbwwmu.dll,C:\WINDOWS\system32\jodenosi.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Client Security Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 17425 bytes
hopeka06
8 Posts
1
January 1st, 2009 19:00
Hi,
Actually, i ran reactivated sophos and ran it once more to make sure that my system was clean. However, Adware/ PUA Killg OM Process Killer (of type hacking tool) detected shows up in the scan history.
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 2nd, 2009 03:00
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.