PDA

View Full Version : smitfraud removal help



Petez
2007-09-28, 00:58
Hi, I'm new to this forum. I appreciate the help!

Here's my situation...

-Win XP, SP2, autoupdates is on

-Registry restore is still ON, and cannot be turned OFF at this time because the admin rights have been limited on all accounts.

-multiple user accounts, all appear to have the smitfraud pop-ups

-I found and ran smitfraudfix, which appeared to remove it (Control Panel came back, etc.), but as soon as we switched users it came back. On all accounts. I assumed many files were infected.

-Ran CA antivirus and removed many infected objects, same with AdAware

-At one point my admin account became locked out of the registry (couldn't open it). I found a command line fix for that.

-After that Control Panel was gone again, and smitfraudfix no longer restored it, even temporarily (like it did the firt 3 tries).

-SB S&D installed and updated, as well as HJT, CA Antivirus, and AdAware.

-Ran Kaspersky online, it stopped at c:\dell\mediaexe\ in a .bin file. Retried 2 times. Then gave up and ran it for critical areas only. (Log below)

-HJT log below that, followed by the report from the last (failing) smitfraudfix.

Thanks for the help!

Pete

-------------Kaspersky Log-------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 27, 2007 2:36:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 27/09/2007
Kaspersky Anti-Virus database records: 424339
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\TECHSU~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 14214
Number of viruses found: 4
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:15:19

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\favset.exe Infected: Trojan.Win32.Favadd.an skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\howiper.exe Infected: Trojan.Win32.Qhost.df skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\xlibgfl254.dll Infected: Trojan-Downloader.Win32.Agent.bfj skipped
C:\WINDOWS\Temp\us10050.exe Infected: Trojan.Win32.Qhost.om skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\TECHSU~1\LOCALS~1\Temp\~DF257D.tmp Object is locked skipped
C:\DOCUME~1\TECHSU~1\LOCALS~1\Temp\~DF3174.tmp Object is locked skipped
C:\DOCUME~1\TECHSU~1\LOCALS~1\Temp\~DF5C45.tmp Object is locked skipped

Scan process completed.

-------------HJT Log-------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:42:00 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\tech support\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=gymk871
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe (User 'nora')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8180 bytes

-------------Rapport Log-------------

SmitFraudFix v2.227

Scan done at 21:40:41.53, Wed 09/26/2007
Run from C:\Documents and Settings\tech support\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DE6D181C-377D-4849-9DE1-6EF98D3AAED9}: DhcpNameServer=68.238.128.12 68.238.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DE6D181C-377D-4849-9DE1-6EF98D3AAED9}: DhcpNameServer=68.238.128.12 68.238.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DE6D181C-377D-4849-9DE1-6EF98D3AAED9}: DhcpNameServer=68.238.128.12 68.238.0.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.238.128.12 68.238.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.238.128.12 68.238.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.238.128.12 68.238.0.12


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csgbm.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

ken545
2007-09-28, 04:40
Hello Petez

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)

We need it to have HJT in its own folder for backup purposes. I would prefer that you delete HJT from where you have it installed and re install it like this

Download and install Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)

Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.


C:\Program Files\MyWaySA <--Uninstall this via the Add Remove Programs in the Control Panel.

Do this to help block this garbage from installing

Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Petez
2007-09-28, 06:03
Thanks Ken545,

As I reported above, I currently have NO Control Panel access, thus I cannot remove programs via that method. Do to that, I could not complete this portion:


C:\Program Files\MyWaySA <--Uninstall this via the Add Remove Programs in the Control Panel.

Do this to help block this garbage from installing

* Your Java is out of date and leaving your system vulnerable.
* Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
* It should have an icon next to it:

Select it and click Remove.
* Reboot your system.
* Then go to the Sun Microsystems and install the update
* Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
* If you chose the online installation, it will prompt you to run the program.
* If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
* Then after install you can verify your installation here Sun Java Verify

I like to to do the offline installation and save the setup file in case I may need it in the future

I did move HJT, and run Combofix... logs follow:

-------------HJT Log-------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:48 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\CMD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=gymk871
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 7478 bytes


-------------Combofix Log-------------
ComboFix 07-09-21.2 - "tech support" 2007-09-27 19:40:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.84 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\becki\APPLIC~1\errsafer.exe
C:\DOCUME~1\becki\STARTM~1\Programs\Startup\system.exe
C:\DOCUME~1\Guest\APPLIC~1\install.dat
C:\DOCUME~1\Rachel\STARTM~1\Programs\Startup\system.exe
C:\Documents and Settings\Guest\Application Data\Def\CnsMin.dsc
C:\temp\17o7
C:\Temp\fse
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-27 19:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 19:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 22:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-26 22:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-26 20:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-09-24 21:21 <DIR> d-------- C:\DOCUME~1\becki\APPLIC~1\Talkback
2007-09-23 14:45 <DIR> d-------- C:\DOCUME~1\TECHSU~1\APPLIC~1\Talkback
2007-09-23 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-22 22:12 99,592 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-09-22 22:12 879,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-09-22 22:12 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-09-22 22:12 75,016 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-09-22 22:12 32,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-09-22 22:12 26,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-09-22 22:12 21,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-09-22 22:12 21,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-09-22 22:12 108,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-09-22 22:12 <DIR> d-------- C:\Program Files\CA
2007-09-22 22:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-09-22 22:02 <DIR> d-------- C:\DOCUME~1\TECHSU~1\.housecall6.6
2007-09-22 21:04 3,742 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-22 20:31 <DIR> d-------- C:\DOCUME~1\TECHSU~1\Contacts
2007-09-20 22:03 92,880 --a------ C:\DOCUME~1\becki\APPLIC~1\errprotec.exe
2007-09-19 19:55 322,968 --a------ C:\DOCUME~1\becki\APPLIC~1\prprotect.exe
2007-09-19 17:31 19,968 --a------ C:\WINDOWS\SYSTEM32\xlibgfl254.dll
2007-09-17 20:59 1,796 --a------ C:\DOCUME~1\becki\APPLIC~1\antivir.exe
2007-09-17 13:17 <DIR> d-------- C:\DOCUME~1\TECHSU~1\APPLIC~1\Lavasoft
2007-09-17 13:15 <DIR> d---s---- C:\DOCUME~1\TECHSU~1\UserData
2007-09-16 22:22 59,904 --a------ C:\DOCUME~1\Rachel\wn224.exe
2007-09-16 22:17 25,600 --a------ C:\DOCUME~1\Rachel\APPLIC~1\mcrupdate.exe
2007-09-16 22:17 <DIR> d-------- C:\DOCUME~1\Rachel\Contacts
2007-09-16 22:17 <DIR> d-------- C:\DOCUME~1\Rachel\APPLIC~1\ultra
2007-09-15 11:08 25,600 --a------ C:\DOCUME~1\becki\APPLIC~1\mcrupdate.exe
2007-09-15 11:08 <DIR> d-------- C:\DOCUME~1\becki\APPLIC~1\ultra
2007-09-14 18:37 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 19:46 --------- d-------- C:\DOCUME~1\Guest\APPLIC~1\Def
2007-09-25 16:14 --------- d-------- C:\Program Files\Dl_cats
2007-09-22 21:54 --------- d-------- C:\Program Files\McAfee.com
2007-09-22 21:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-09-22 16:06 --------- d-------- C:\Program Files\Greetings Workshop
2007-09-14 21:18 --------- d-------- C:\Program Files\Warcraft II BNE
2007-09-14 18:43 --------- d-------- C:\Program Files\MSN Messenger
2007-08-03 20:20 --------- d-------- C:\DOCUME~1\becki\APPLIC~1\Viewpoint
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 12:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"OSCD_Creator"="c:\Dell\PreODM.EXE" [2004-10-31 03:21]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 06:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-14 12:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-14 12:31]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 17:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 19:41]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-26 08:08]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-07-31 12:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 02:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"OSCD_Creator"=C:\Dell\PreODM.EXE /2

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-04-14 12:30:03]
DESKTOP.INI [2004-08-10 11:04:12]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-02-05 13:31:11]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\alisha\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\becki\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\m&m\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\Rachel\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\TECHSU~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csgbm.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;\??\C:\WINDOWS\system32\drivers\zpmodemnt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-22 23:04:28 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DGYMK871-caleb).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 19:51:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = C:\Dell\PreODM.EXE /2??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 19:54:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 19:54
.
--- E O F ---

ken545
2007-09-28, 14:55
Good Morning,

You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

If you set this yourself and know about it than leave it
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

This is where you picked up your infection
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab




Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad



File::
C:\DOCUME~1\becki\APPLIC~1\errprotec.exe
C:\DOCUME~1\becki\APPLIC~1\antivir.exe
C:\DOCUME~1\Rachel\wn224.exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


I would like you to go to Start> Search> All files and folders> C:\ drive and search for csgbm.exe, I need to know the location of this file, then go to the location of the file,right click on it and go to Properties and let me know any info about it as far as who the file may belong to.

Petez
2007-09-29, 05:06
Good evening, sorry I got interrupted today and just now go t back to it. Thanks for sticking with me.

I did all you asked, with the following results:

- After Combofix completed and displayed the log file I saved it and closed it, then there was no desktop (just a blank background, as though Explorer had been shut down). The computer had not rebooted. I ran the windows task manager and there were no applications running, so I rebooted from the task manager and got a normal result.

- csgbm.exe was not found anywhere on the C:/ drive. (I set it to search hidden files & folders as well.)

-------------Combofix Log-------------
ComboFix 07-09-21.2 - "tech support" 2007-09-28 18:17:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -7:00]
* Created a new restore point

FILE::
C:\DOCUME~1\becki\APPLIC~1\errprotec.exe
C:\DOCUME~1\becki\APPLIC~1\antivir.exe
C:\DOCUME~1\Rachel\wn224.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\becki\APPLIC~1\antivir.exe
C:\DOCUME~1\becki\APPLIC~1\errprotec.exe
C:\DOCUME~1\Rachel\wn224.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 )))))))))))))))))))))))))))))))
.

2007-09-27 21:31 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-27 19:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 19:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 22:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-26 22:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-26 20:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-09-24 21:21 <DIR> d-------- C:\DOCUME~1\becki\APPLIC~1\Talkback
2007-09-23 14:45 <DIR> d-------- C:\DOCUME~1\TECHSU~1\APPLIC~1\Talkback
2007-09-23 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-22 22:12 99,592 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-09-22 22:12 879,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-09-22 22:12 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-09-22 22:12 75,016 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-09-22 22:12 32,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-09-22 22:12 26,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-09-22 22:12 21,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-09-22 22:12 21,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-09-22 22:12 108,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-09-22 22:12 <DIR> d-------- C:\Program Files\CA
2007-09-22 22:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-09-22 22:02 <DIR> d-------- C:\DOCUME~1\TECHSU~1\.housecall6.6
2007-09-22 21:04 3,742 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-22 20:31 <DIR> d-------- C:\DOCUME~1\TECHSU~1\Contacts
2007-09-19 19:55 322,968 --a------ C:\DOCUME~1\becki\APPLIC~1\prprotect.exe
2007-09-19 17:31 19,968 --a------ C:\WINDOWS\SYSTEM32\xlibgfl254.dll
2007-09-17 13:17 <DIR> d-------- C:\DOCUME~1\TECHSU~1\APPLIC~1\Lavasoft
2007-09-17 13:15 <DIR> d---s---- C:\DOCUME~1\TECHSU~1\UserData
2007-09-16 22:17 25,600 --a------ C:\DOCUME~1\Rachel\APPLIC~1\mcrupdate.exe
2007-09-16 22:17 <DIR> d-------- C:\DOCUME~1\Rachel\Contacts
2007-09-16 22:17 <DIR> d-------- C:\DOCUME~1\Rachel\APPLIC~1\ultra
2007-09-15 11:08 25,600 --a------ C:\DOCUME~1\becki\APPLIC~1\mcrupdate.exe
2007-09-15 11:08 <DIR> d-------- C:\DOCUME~1\becki\APPLIC~1\ultra
2007-09-14 18:37 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 15:46 --------- d-------- C:\Program Files\Dl_cats
2007-09-27 19:46 --------- d-------- C:\DOCUME~1\Guest\APPLIC~1\Def
2007-09-22 21:54 --------- d-------- C:\Program Files\McAfee.com
2007-09-22 21:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-09-22 16:06 --------- d-------- C:\Program Files\Greetings Workshop
2007-09-14 21:18 --------- d-------- C:\Program Files\Warcraft II BNE
2007-09-14 18:43 --------- d-------- C:\Program Files\MSN Messenger
2007-08-03 20:20 --------- d-------- C:\DOCUME~1\becki\APPLIC~1\Viewpoint
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-27_195326.40 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 2,115,816 2007-06-11 20:34:00 C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
----a-w 190,696 2007-06-11 20:34:00 C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 12:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"OSCD_Creator"="c:\Dell\PreODM.EXE" [2004-10-31 03:21]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 06:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-14 12:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-14 12:31]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 17:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 19:41]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-26 08:08]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-07-31 12:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 02:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"OSCD_Creator"=C:\Dell\PreODM.EXE /2

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-04-14 12:30:03]
DESKTOP.INI [2004-08-10 11:04:12]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-02-05 13:31:11]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\alisha\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\becki\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\m&m\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\Rachel\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

C:\DOCUME~1\TECHSU~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 11:04:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csgbm.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;\??\C:\WINDOWS\system32\drivers\zpmodemnt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-22 23:04:28 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DGYMK871-caleb).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 18:23:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = C:\Dell\PreODM.EXE /2??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-28 18:25:35
C:\ComboFix-quarantined-files.txt ... 2007-09-28 18:25
C:\ComboFix2.txt ... 2007-09-27 19:54
.
--- E O F ---


-------------HJT Log-------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:23 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=gymk871
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 7053 bytes

ken545
2007-09-29, 05:39
Petez,

Outside of the Myway search, I am not looking at anything out of the ordinary on your HJT log, but you did have some bad files that where skipped for deletion on your Kaspersky scan.

First update your Java , it will help block any new stuff from installing.

Run this scan, its important that I see the log so follow the instructions pretty close.


Download AVG Anti-Spyware Free (http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0) to your desktop.


Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close AVG Anti-Spyware Free <-- Do not run the scan yet.

Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:

Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system <--Don't forget this
make sure to remember where you saved that file, this is important, I need to see that log.
Close AVG Anti-Spyware Free


Post the AVG report and a New HJT log please

Petez
2007-09-29, 23:33
Hi there,

Well things are looking much better. I *think* all pop-ups and changes to browser settings are no longer taking place, for all users.

I removed MyWay.

JAVA is updated.

If all seems well to you, and us, should I go ahead and disable/re-enable System Restore?

I have removed ACG. CA-AV is already installed and working. (It will be upgraded to CA-AV Plus shortly, as that includes spyware protection.)

I discovered that the Administrator account has no password. (This is a friend's computer, I'm just helping them.) I will add a password to it, but was wondering if you thought that was a result of malware, or just their oversight when setting up the computer.

I followed the AVG instructions to-the-letter... but it didn't generate a report in Safe Mode. It did find 207 items (mostly mining cookies). All were removed, and I deleted the quarantined files as well. Before doing so I was able to take a screen shot of those items for you, since there was no report.

http://www.coosweb.com/tmp/AVG.jpg

----------HJT Log----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:35 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?systempopup=true&affid=105-36&dtag=gymk871
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6692 bytes

ken545
2007-09-30, 01:57
Your log looks good :bigthumb: Glad things are back to normal.

You can try this.
Depending on how your manufacturer set up your system, you may or may not need the Windows XP CD. If you have a I386 folder on your C:\ drive you may not need the disk.

Click Start>Run
Type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things.





This is a dead link, you can fix it with HJT.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/...6&dtag=gymk871

What I would do is to open AVG and delete everything in the Quarantine folder. Not to worry about the log, I found out after no posters were able to post a log that its a bug in the new version that is supposed to be fixed soon.


With windows XP there is no adminstrator password unless you set one yourself.


I would delete Smitfraud fix and Comboscan, these are not programs that you run now and then, there designed to remove specific infections and they are updated quite regularly.


This is a good free cleaner program that I run myself about once a week to clean out all the temp files and such that are not needed.

Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!



If you feel your system is stable than go ahead and disable System Restore and make sure you re enable it and create a new restore point. It will be your only restore point at the moment. But all the garbage that you were infected with is backed up in there and you need to get rid of it.

Here are instructions for System Restore.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it



Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.



Safe Surfn
Ken

Petez
2007-10-01, 01:33
Ken,

All looks good for now. If I don't post in here in 3-4 days feel free to close the thread. And thanks again! (Final notes to follow...)

Pete

------------------------------------------
-scf completed and exited without indicating anything... I assume that means it found no files to refresh. (Or it fixed stuff without comment. C:\I386 does exist on this computer.)

- Thanks for pointing out the old McAfee entry. (removed)

- I had already removed the AVG quarantined items, as well as removed the specialized removal tools.

- CCleaner, thanks!

- Already switched them to FireFox, and have Spybot S&D installed, as well as AdAware.

ken545
2007-10-01, 01:38
Thats great Petez,

Please do post back if you feel you may still have a problem.

Ken

Petez
2007-10-02, 08:51
Tonight, while posting to BlackBoard on a university site, CA AV logged the following:

10/1/2007 21:23:45 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dsbr.jar-13baef4e-4f8f1a7d.zip is Java/Shinwow.BG!ZIP trojan. Deleted

10/1/2007 21:23:46 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dsbr.jar-78753e5b-53c97c8c.zip is Java/Shinwow.BG!ZIP trojan. Deleted

10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-15019a97-4192ac80.class is Java/ByteVerify!exploit trojan. Deleted

10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-3ed9fd92-522d6aa8.class is Java/ByteVerify!exploit trojan. Deleted

10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-3ed9fd93-65c28fdc.class is Java/ByteVerify!exploit trojan. Deleted

10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-4379e08a-2fa1cee1.class is Java/ByteVerify!exploit trojan. Deleted

Upon repeating the same operation, no issues for logged... FYI: BlackBoard is a large online classroom application, and it relies heavily on Java. Possible this is a false alarm, or they are infected on their server... Any thoughts?

Here's' a the current HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:50 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1013\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'tech support')
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6885 bytes

ken545
2007-10-02, 12:19
It looks like you picked up a worm, possibly from your school network ??


Go to Start > Control Panel ( up at the top left , make sure your in Classic View ) and open Java.
Then look for a tab that says cache and choose clear cache.
( Newer version might have delete Temporary Internet files, delete them)
Do that for every Java icon, if there is more than one.


Remove these with HJT.
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O4 - HKCU\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe


Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe)by OldTimer.


Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



C:\WINDOWS\system32\explore.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
Close OTMoveIt


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Post the OtMoveIt log and a new HJT log please

Petez
2007-10-02, 21:57
Grrr! Yes, I know what happened... Nora's brother (Caleb) used the computer... he likes gaming and music sites, etc.... (That's like virtual fly paper for malware.) I'm going to lock out several user accounts until they get educated!

This morning there were more CA AV entries. Here is the entire log, some of which I sent in the last post:

10/1/2007 21:23:45 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dsbr.jar-13baef4e-4f8f1a7d.zip is Java/Shinwow.BG!ZIP trojan. Deleted
10/1/2007 21:23:46 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dsbr.jar-78753e5b-53c97c8c.zip is Java/Shinwow.BG!ZIP trojan. Deleted
10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-15019a97-4192ac80.class is Java/ByteVerify!exploit trojan. Deleted
10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-3ed9fd92-522d6aa8.class is Java/ByteVerify!exploit trojan. Deleted
10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-3ed9fd93-65c28fdc.class is Java/ByteVerify!exploit trojan. Deleted
10/1/2007 21:23:47 PM File infection: C:\Documents and Settings\nora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-4379e08a-2fa1cee1.class is Java/ByteVerify!exploit trojan. Deleted
10/1/2007 22:26:26 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\findfast.exe is Win32/VMalum.UNT infection. Quarantined
10/1/2007 22:26:29 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\findfast.exe is Win32/VMalum.UNT infection.
10/1/2007 22:26:34 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\info.exe is Win32/SillyDl.DFS trojan. Deleted
10/1/2007 22:26:35 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\info.exe is Win32/SillyDl.DFS trojan.
10/1/2007 22:26:36 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\findfast.exe is Win32/VMalum.UNT infection.
10/1/2007 22:26:38 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\findfast.exe is Win32/VMalum.UNT infection.
10/1/2007 22:26:39 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\findfast.exe is Win32/VMalum.UNT infection.
10/1/2007 22:26:40 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\findfast.exe is Win32/VMalum.UNT infection.
10/1/2007 22:26:41 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\info.exe is Win32/SillyDl.DFS trojan.
10/1/2007 22:26:41 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\info.exe is Win32/SillyDl.DFS trojan.
10/1/2007 22:26:41 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\info.exe is Win32/SillyDl.DFS trojan.
10/1/2007 22:26:42 PM File infection: C:\Documents and Settings\caleb\Start Menu\Programs\Startup\info.exe is Win32/SillyDl.DFS trojan.
10/1/2007 22:43:49 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\YazzleBundle-1281.exe is Win32/VMalum.DZD infection. Quarantined
10/1/2007 22:43:49 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\YazzleBundle-1281.exe is Win32/VMalum.DZD infection.
10/1/2007 22:43:49 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\YazzleBundle-1281.exe is Win32/VMalum.DZD infection.
10/1/2007 22:43:49 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\YazzleBundle-1281.exe is Win32/VMalum.DZD infection.
10/1/2007 22:43:52 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\yazzlesnet.exe is Win32/Clspring.GW dropper. Deleted
10/1/2007 22:43:52 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\yazzlesnet.exe is Win32/Clspring.GW dropper.
10/1/2007 22:43:52 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\yazzlesnet.exe is Win32/Clspring.GW dropper.
10/1/2007 22:43:53 PM File infection: C:\DOCUME~1\caleb\LOCALS~1\Temp\yazzlesnet.exe is Win32/Clspring.GW dropper.


-Java cache appearded to be empty (via View... under Temporary Internet Files in Java panel), I did a delete anyway.

-The R3 listing was already gone... removed the 04 one.

-OTMoveIt complained that it couldn't create the log file, but I copied the right panel display below.

-----OTMoveIt Log-----
File/Folder C:\WINDOWS\system32\explore.exe not found.

Created on 10/02/2007 11:43:35

-----HJT Log-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:12 AM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'nora')
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6727 bytes

Petez
2007-10-02, 22:37
I need to add a bit more info...

I reset the password on Caleb's account, and logged in as him, so I could see his internet cache (his Doc & Set folder was set to private). Once in there I discovered that his cache showed him to be on FaceBook at the time of the 22:44 infection (possibly is was an outside application he has installed?). No info could be found before that so I have no idea where the other infections came from. He must have cleared his cache.

I cleared all items out of his cache.

Additionally, while logged in as him the smitfraud pop-up showed up. Not the one in the try, just the one on the screen that asks you to visit their malware site. I thought we removed all of that for all users... or did he reinfect the computer with that as well?

ken545
2007-10-03, 01:05
Petez,

YazzleBundle <-- Anything by this brings spyware with it.

Remove this with HJT
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Lets run some scans again. You have Combofix, delete it as this tool is updated on a regualar basis and download it fresh.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.


Post the Combofix log, the SAS log and a New HJT log please.

Petez
2007-10-04, 01:41
Ok, all was accomplished. One issue... after running the SAS fix, it asked to reboot, I allowed it, but it came up with a failed boot, suspecting a hardware change... I let it try again 2 more times, and they failed. So I then tried "Last know good...", which booted without error.

I left SAS installed for now, but removed the start-up item for the tray icon. All other fixes removed after running.

Reports follow:

-----CA AV Log-----
10/2/2007 17:46:29 PM File infection: C:\System Volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000255.exe is Win32/VMalum.UNT infection. Quarantined

10/2/2007 19:25:36 PM File infection: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000256.exe is Win32/SillyDl.DFS trojan. Deleted

10/3/2007 10:57:37 AM File infection: C:\WINDOWS\system32\drivers\etc\hosts is Win32/Hostblock trojan. Deleted

10/3/2007 10:57:38 AM File infection: C:\WINDOWS\system32\drivers\etc\hosts is Win32/Hostblock trojan.

NOTE: I left SAS scanning, and upon return, CA AV had reported this:

10/3/2007 11:52:10 AM File infection: C:\DOCUMENTS AND SETTINGS\CALEB\APPLICATION DATA\SPOOLSVC.DLL is Win32/Crupor trojan. Deleted

10/3/2007 11:52:11 AM File infection: C:\DOCUMENTS AND SETTINGS\CALEB\KAPMCNYS.EXE is Win32/Oneraw!generic trojan. Deleted

10/3/2007 11:52:23 AM File infection: C:\DOCUMENTS AND SETTINGS\CALEB\ORVOHPUE.EXE is Win32/Nitwiz!generic trojan. Deleted

10/3/2007 11:52:30 AM File infection: C:\DOCUMENTS AND SETTINGS\CALEB\US145INFO.EXE is Win32/Oneraw!generic trojan. Deleted

10/3/2007 11:52:30 AM File infection: C:\Documents and Settings\caleb\US145I~1.EXE is Win32/Oneraw!generic trojan.

10/3/2007 11:55:02 AM File infection: C:\DOCUMENTS AND SETTINGS\NORA\APPLICATION DATA\SPOOLSVC.DLL is Win32/Crupor trojan. Deleted10/3/2007 11:57:31 AM File infection: C:\DOCUMENTS AND SETTINGS\NORA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K8GLCRAT\VS10050[1].DLL is Win32/Crupor trojan. Deleted

10/3/2007 11:57:32 AM File infection: C:\Documents and Settings\nora\Local Settings\Temporary Internet Files\Content.IE5\K8GLCRAT\VS1005~1.DLL is Win32/Crupor trojan.

10/3/2007 12:18:01 PM File infection: C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000405.DLL is Win32/Crupor trojan. Deleted

10/3/2007 12:18:03 PM File infection: C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000406.EXE is Win32/Oneraw!generic trojan. Deleted

10/3/2007 12:18:04 PM File infection: C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000407.EXE is Win32/Nitwiz!generic trojan. Deleted

10/3/2007 12:18:04 PM File infection: C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000408.EXE is Win32/Oneraw!generic trojan. Deleted

10/3/2007 12:18:05 PM File infection: C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000409.DLL is Win32/Crupor trojan. Deleted

-----SAS Log-----
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/03/2007 at 12:37 PM

Application Version : 3.9.1008

Core Rules Database Version : 3318
Trace Rules Database Version: 1319

Scan type : Complete Scan
Total Scan Time : 01:00:49

Memory items scanned : 407
Memory threats detected : 1
Registry items scanned : 5358
Registry threats detected : 0
File items scanned : 46968
File threats detected : 105

Trojan.Downloader-XLIB
C:\WINDOWS\SYSTEM32\XLIBGFL254.DLL
C:\WINDOWS\SYSTEM32\XLIBGFL254.DLL

Adware.Tracking Cookie
C:\Documents and Settings\alisha\Cookies\alisha@a.websponsors[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@ad.admarketplace[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@ad.reunion[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@adknowledge[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@adopt.specificclick[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@ads.as4x.tmcs[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@ads.cc214142[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@ads.cnn[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@ads.monster[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@ads.realcastmedia[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@ads.ussearch[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@advertising[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@ath.belnk[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@atwola[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@bannerspace[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@banner[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@belnk[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@burstnet[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@clicks.emarketmakers[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@creativeby.viewpoint[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@dist.belnk[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@easy-hit-counters[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@edge.ru4[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@ehg-cbs.hitbox[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@funwebproducts[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@hotbar[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@icc.intellisrv[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@image.masterstats[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@interclick[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@kanoodle[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@m1.webstats4u[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@media4.sitebrand[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@nextag[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@partner2profit[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@qnsr[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@rotator.dex.adjuggler[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@spamblockerutility[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@tracking.sms[1].txt
C:\Documents and Settings\alisha\Cookies\alisha@v7.stats.load[2].txt
C:\Documents and Settings\alisha\Cookies\alisha@www.burstbeacon[2].txt
C:\Documents and Settings\nora\Cookies\nora@105-bmp.googleadservices[1].txt
C:\Documents and Settings\nora\Cookies\nora@2o7[1].txt
C:\Documents and Settings\nora\Cookies\nora@ad.accelerator-media[2].txt
C:\Documents and Settings\nora\Cookies\nora@ad.internetradioinc[2].txt
C:\Documents and Settings\nora\Cookies\nora@ad.trident[1].txt
C:\Documents and Settings\nora\Cookies\nora@ad.xplusone[2].txt
C:\Documents and Settings\nora\Cookies\nora@ad.yieldmanager[2].txt
C:\Documents and Settings\nora\Cookies\nora@adecn[2].txt
C:\Documents and Settings\nora\Cookies\nora@adopt.specificclick[2].txt
C:\Documents and Settings\nora\Cookies\nora@ads.adbrite[2].txt
C:\Documents and Settings\nora\Cookies\nora@ads.ak.facebook[2].txt
C:\Documents and Settings\nora\Cookies\nora@ads.pointroll[2].txt
C:\Documents and Settings\nora\Cookies\nora@adv.webmd[1].txt
C:\Documents and Settings\nora\Cookies\nora@advertising[2].txt
C:\Documents and Settings\nora\Cookies\nora@anad.tacoda[1].txt
C:\Documents and Settings\nora\Cookies\nora@anat.tacoda[2].txt
C:\Documents and Settings\nora\Cookies\nora@atdmt[2].txt
C:\Documents and Settings\nora\Cookies\nora@atwola[2].txt
C:\Documents and Settings\nora\Cookies\nora@belnk[1].txt
C:\Documents and Settings\nora\Cookies\nora@bluestreak[1].txt
C:\Documents and Settings\nora\Cookies\nora@burstnet[2].txt
C:\Documents and Settings\nora\Cookies\nora@dist.belnk[2].txt
C:\Documents and Settings\nora\Cookies\nora@doubleclick[1].txt
C:\Documents and Settings\nora\Cookies\nora@edge.ru4[1].txt
C:\Documents and Settings\nora\Cookies\nora@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\nora\Cookies\nora@fastclick[1].txt
C:\Documents and Settings\nora\Cookies\nora@go.winantivirus[2].txt
C:\Documents and Settings\nora\Cookies\nora@gostats[1].txt
C:\Documents and Settings\nora\Cookies\nora@hitbox[2].txt
C:\Documents and Settings\nora\Cookies\nora@icc.intellisrv[2].txt
C:\Documents and Settings\nora\Cookies\nora@interclick[1].txt
C:\Documents and Settings\nora\Cookies\nora@kanoodle[2].txt
C:\Documents and Settings\nora\Cookies\nora@linkstattrack[1].txt
C:\Documents and Settings\nora\Cookies\nora@media.hotels[1].txt
C:\Documents and Settings\nora\Cookies\nora@mediaplex[2].txt
C:\Documents and Settings\nora\Cookies\nora@members.tripod[1].txt
C:\Documents and Settings\nora\Cookies\nora@mo-media[1].txt
C:\Documents and Settings\nora\Cookies\nora@msnportal.112.2o7[1].txt
C:\Documents and Settings\nora\Cookies\nora@nextag[1].txt
C:\Documents and Settings\nora\Cookies\nora@partner2profit[1].txt
C:\Documents and Settings\nora\Cookies\nora@questionmarket[1].txt
C:\Documents and Settings\nora\Cookies\nora@redorbit[2].txt
C:\Documents and Settings\nora\Cookies\nora@rotator.dex.adjuggler[2].txt
C:\Documents and Settings\nora\Cookies\nora@sales.liveperson[1].txt
C:\Documents and Settings\nora\Cookies\nora@seventeen[2].txt
C:\Documents and Settings\nora\Cookies\nora@sitestat.mayoclinic[1].txt
C:\Documents and Settings\nora\Cookies\nora@specificclick[2].txt
C:\Documents and Settings\nora\Cookies\nora@statcounter[2].txt
C:\Documents and Settings\nora\Cookies\nora@stats.sanfordcorp[1].txt
C:\Documents and Settings\nora\Cookies\nora@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\nora\Cookies\nora@tremor.adbureau[2].txt
C:\Documents and Settings\nora\Cookies\nora@tribalfusion[1].txt
C:\Documents and Settings\nora\Cookies\nora@upspiral[2].txt
C:\Documents and Settings\nora\Cookies\nora@www.0stats[1].txt
C:\Documents and Settings\nora\Cookies\nora@www.burstbeacon[2].txt
C:\Documents and Settings\nora\Cookies\nora@www.incentaclick[1].txt
C:\Documents and Settings\nora\Cookies\nora@www.seventeen[1].txt
C:\Documents and Settings\nora\Cookies\nora@www.windowsmedia[1].txt
C:\Documents and Settings\nora\Cookies\nora@zedo[1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\DOCUMENTS AND SETTINGS\CALEB\LOCAL SETTINGS\TEMP\WINANTIVIRUSPRO2006FREEINSTALL.EXE

Trojan.Net-AVP/AVT
C:\DOCUMENTS AND SETTINGS\CALEB\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\CALEB\US145.EXE

-----HJT Log-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:32 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6036 bytes

Petez
2007-10-04, 01:51
-----ComboFix Log-----
ComboFix 07-10-03.7 - tech support 2007-10-03 11:13:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.71 [GMT -7:00]
Running from: C:\Documents and Settings\tech support\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\becki\Desktop\internet.lnk
C:\Documents and Settings\m&m\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\Rachel\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\tech support\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-02 22:08 <DIR> d-------- C:\Documents and Settings\Rachel\Application Data\Talkback
2007-10-02 13:02 <DIR> d-------- C:\WINDOWS\pss
2007-09-30 15:55 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-30 15:25 4,608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxflnch.exe
2007-09-30 15:25 27,648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxftplt.exe
2007-09-30 15:25 23,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2007-09-30 15:25 17,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxscnui.dll
2007-09-30 15:25 116,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwiadr.dll
2007-09-30 15:24 99,865 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xlog.exe
2007-09-30 15:24 8,192 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wshirda.dll
2007-09-30 15:24 19,455 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wvchntxx.sys
2007-09-30 15:24 16,970 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xem336n5.sys
2007-09-30 15:24 12,063 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wsiintxx.sys
2007-09-30 15:23 8,832 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wmiacpi.sys
2007-09-30 15:23 771,581 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\winacisa.sys
2007-09-30 15:23 53,760 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wiamsmud.dll
2007-09-30 15:23 41,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.dll
2007-09-30 15:23 34,890 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wlandrv2.sys
2007-09-30 15:23 31,232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.sys
2007-09-30 15:23 154,624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wlluc48.sys
2007-09-30 14:48 20,540 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\admin.dll
2007-09-30 14:48 16,439 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\admin.exe
2007-09-30 14:17 <DIR> d-------- C:\Program Files\CCleaner
2007-09-29 10:54 99,592 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-09-29 10:54 879,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-09-29 10:54 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-09-29 10:54 75,016 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-09-29 10:54 32,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-09-29 10:54 26,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-09-29 10:54 21,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-09-29 10:54 21,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-09-29 10:54 108,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-09-29 10:53 <DIR> d-------- C:\Program Files\CA
2007-09-29 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-09-27 21:31 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-27 19:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 19:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 22:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-26 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-24 21:21 <DIR> d-------- C:\Documents and Settings\becki\Application Data\Talkback
2007-09-23 14:45 <DIR> d-------- C:\Documents and Settings\tech support\Application Data\Talkback
2007-09-23 14:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-22 22:02 <DIR> d-------- C:\Documents and Settings\tech support\.housecall6.6
2007-09-22 21:04 3,742 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-22 20:31 <DIR> d-------- C:\Documents and Settings\tech support\Contacts
2007-09-19 17:31 19,968 --a------ C:\WINDOWS\SYSTEM32\xlibgfl254.dll
2007-09-17 13:17 <DIR> d-------- C:\Documents and Settings\tech support\Application Data\Lavasoft
2007-09-17 13:15 <DIR> d---s---- C:\Documents and Settings\tech support\UserData
2007-09-16 22:17 25,600 --a------ C:\Documents and Settings\Rachel\Application Data\mcrupdate.exe
2007-09-16 22:17 <DIR> d-------- C:\Documents and Settings\Rachel\Contacts
2007-09-16 22:17 <DIR> d-------- C:\Documents and Settings\Rachel\Application Data\ultra
2007-09-15 11:08 25,600 --a------ C:\Documents and Settings\becki\Application Data\mcrupdate.exe
2007-09-15 11:08 <DIR> d-------- C:\Documents and Settings\becki\Application Data\ultra
2007-09-14 18:37 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 22:18 --------- d-------- C:\Program Files\Dl_cats
2007-10-02 12:53 --------- d-------- C:\Program Files\Greetings Workshop
2007-09-29 11:12 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-29 11:12 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-27 19:46 --------- d-------- C:\Documents and Settings\Guest\Application Data\Def
2007-09-22 21:54 --------- d-------- C:\Program Files\McAfee.com
2007-09-14 21:18 --------- d-------- C:\Program Files\Warcraft II BNE
2007-09-14 18:43 --------- d-------- C:\Program Files\MSN Messenger
2007-08-03 20:20 --------- d-------- C:\Documents and Settings\becki\Application Data\Viewpoint
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-27_195326.40 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-28 16:06:08 C:\WINDOWS\catchme.exe
----a-w 19,996 2001-08-17 19:10:54 C:\WINDOWS\LastGood\system32\dllcache\em556n4.sys
----a-w 22,090 2001-08-17 19:10:54 C:\WINDOWS\LastGood\system32\dllcache\fem556n5.sys
----a-w 2,136,064 2007-02-28 09:08:48 C:\WINDOWS\LastGood\system32\dllcache\ntkrnlmp.exe
----a-w 2,015,744 2007-02-28 08:38:57 C:\WINDOWS\LastGood\system32\dllcache\ntkrpamp.exe
----a-w 135,168 2007-07-12 08:22:00 C:\WINDOWS\SYSTEM32\java.exe
----a-w 135,168 2007-07-12 08:22:04 C:\WINDOWS\SYSTEM32\javaw.exe
----a-w 139,264 2007-07-12 09:22:38 C:\WINDOWS\SYSTEM32\javaws.exe
----a-w 844,800 2007-07-23 01:39:27 C:\WINDOWS\SYSTEM32\swreg.exe
----a-w 53,248 2004-08-04 06:10:08 C:\WINDOWS\SYSTEM32\DLLCACHE\1394bus.sys
----a-w 11,264 2001-08-17 21:06:48 C:\WINDOWS\SYSTEM32\DLLCACHE\1394vdbg.sys
----a-w 762,780 2001-08-17 20:28:00 C:\WINDOWS\SYSTEM32\DLLCACHE\3cwmcru.sys
----a-w 689,216 2001-08-17 21:55:58 C:\WINDOWS\SYSTEM32\DLLCACHE\3dfxvs.dll

........(Large section REMOVED so it would post (The text that you have entered is too long (247179 characters). Please shorten it to 20000 characters long.). I have the entire file saved if you need me to Email it to you.)

----a-w 4,677 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\DLLCACHE\zeeverm.dll
----a-w 337,920 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\DLLCACHE\zipfldr.dll
----a-w 29,760 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\DLLCACHE\znetm.dll
----a-w 113,222 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\DLLCACHE\zoneclim.dll
----a-w 13,894 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\DLLCACHE\zonelibm.dll
----a-w 8,261 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\DLLCACHE\zoneoc.dll
----a-w 2,115,816 2007-06-11 20:34:00 C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
----a-w 190,696 2007-06-11 20:34:00 C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
.
----a-w 109,056 2007-07-20 07:47:22 C:\WINDOWS\catchme.exe
----a-w 24,681 2003-11-19 21:36:26 C:\WINDOWS\SYSTEM32\java.exe
----a-w 28,779 2003-11-19 21:36:30 C:\WINDOWS\SYSTEM32\javaw.exe
----a-w 279,552 2007-07-23 01:39:27 C:\WINDOWS\SYSTEM32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 12:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"OSCD_Creator"="c:\Dell\PreODM.EXE" [2004-10-31 03:21]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-14 12:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-14 12:31]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 17:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 19:41]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-29 10:56]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-07-31 12:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 02:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"OSCD_Creator"=C:\Dell\PreODM.EXE /2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-02-05 13:31:11]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-02-05 13:31:11]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csgbm.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;\??\C:\WINDOWS\system32\drivers\zpmodemnt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DGYMK871-caleb).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 11:19:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = C:\Dell\PreODM.EXE /2??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-03 11:21:56
C:\ComboFix-quarantined-files.txt ... 2007-10-03 11:21
C:\ComboFix2.txt ... 2007-09-28 18:25
C:\ComboFix3.txt ... 2007-09-27 19:54
.
--- E O F ---

ken545
2007-10-04, 11:44
They removed quite a bit, nothing earth shattering left on the scans to worry about.

You can uninstall SAS and delete Combofix and Smitfraud.

Post a new HJT log and lets make sure all is ok

Petez
2007-10-05, 04:10
SAS and ComboFix removed/deleted. Smitfraudfix was never used, did I miss a step?

Also:
-Do I need to clear out System Restore, and set a new restore point? I was concerned that some of the CA AV reports seemed to indicate problems in those files.

-Do I need to run scf again?

Thanks, Pete

-----HJT-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:56 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'nora')
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1008\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'nora')
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6644 bytes

ken545
2007-10-05, 04:36
I found and ran smitfraudfix, You said you ran this program in your first post. This is not something you run once in awhile , it was written just for this certain infection, so if its present , remove it.


Yes, you can run System Restore as long as you feel your system is stable, remember the only restore point you will have is the one you will just create.


System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important




Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.



Just so you know I will be away from this evening until sometime on Tuesday so if you need any questions answered please be patient.

Safe Surfn
Ken

Petez
2007-10-05, 06:50
You said you ran this program in your first post. This is not something you run once in awhile , it was written just for this certain infection, so if its present , remove it.

Oh, lol, that was the first infection... The second round (though it showed the smitfraud false virus warning) I never ran the cleaner for smitfraud. I assume I'm ok even though I didn't run it, right?

I understand the these specialized cleaners are for specific use. I'll reset the System Restore in a few days if all is well, and report back here.

Thanks for the help, Pete

ken545
2007-10-07, 07:25
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Ad-Aware SE Personal 1.06 (http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
Check for Updates and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.


Stay Well,

Ken