PDA

View Full Version : Backdoor.Tidservlinf



davidapsel
2008-12-12, 09:23
hi,

my symantec antivirus program reports that my computer is infected with a virus named Backdoor.Tidservlinf which it cannot remove or quarantine. it is located at C:\Documents and Settings\david\Local Settings\Temp\tds.tmp which i do not know how to access. other programs that i have used either freeze up or do not find it. since i am not sure what this virus does, i am reluctant to do anything on the computer until it is removed. i could really use some help! thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:16 AM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9697 bytes

Blade81
2008-12-16, 19:44
Hi

Let's make sure you have hidden files visible.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete C:\Documents and Settings\david\Local Settings\Temp\tds.tmp file if found.

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop and post them back here.

davidapsel
2008-12-17, 01:45
hi,

thanks for your help. first, i misnamed the virus file, it is:

C:\Documents and Settings\david\Local Settings\Temp\tds147.tmp

i followed your instructions, found the file, but when i tried to delete the file the computer said : cannot delete tds147: access is denied. i looked at the properties of the file and i cannot find anything that says that it is write protected. i did not go any further since the deletion step was unsuccessful. please let me know what to do next. thanks again.

Blade81
2008-12-17, 17:12
Hi

Please run DDS and post back its reports. We'll deal the problematic file later :santa:

davidapsel
2008-12-17, 19:30
hi,

i do not know how to disable script blockers if they exist. also, i disabled my sytem restore when i was trying to delete the virus by myself (before contacting spybot), and since i was unsuccessful i left it disabled. i ran dds and am copying the logs. thanks.


DDS (Version 1.1.0) - NTFSx86
Run by david at 12:12:08.09 on Wed 12/17/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.42 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\david\Local Settings\Temporary Internet Files\Content.IE5\RYWT6WEL\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;127.0.0.1
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - c:\progra~1\common~1\verizo~1\sfp\vzbb.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - c:\progra~1\common~1\verizo~1\sfp\vzbb.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - c:\progra~1\common~1\verizo~1\sfp\vzbb.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [InstantAccess] c:\progra~1\textbr~1.0\bin\INSTAN~1.EXE /h
mRun: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
StartupFolder: c:\docume~1\david\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\verizo~1.lnk - c:\program files\verizon online\bin\matcli.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\\greprefs\all.js - pref("general.useragent.contentlocale", "chrome://navigator-region/locale/region.properties");
c:\program files\mozilla firefox\\greprefs\all.js - pref("accessibility.typeaheadfind.soundURL", "default");
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.warnOnCloseOther", true);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadGroup", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadOnNewTab", 0);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.windows.loadOnNewWindow", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.open.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Location.reload.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.Components", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.document.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.commandDispatcher", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerForCommand", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.insertControllerAt", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.removeControllerAt", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerAt", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.appendController", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.removeController", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerId", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerById", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerCount", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.resizable", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections", 24);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections-per-server", 8);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-server", 2);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-proxy", 4);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.accept.default", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.dns.ipv4OnlyDomains", ".doubleclick.net");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.standard-url.encode-utf8", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.image.warnAboutImages", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.proxy.autoconfig_url", "");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3p", "ffffaaaa");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\\greprefs\all.js - pref("ime.password.onFocus.dontCare", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("ime.password.onBlur.dontCare", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("ui.key.generalAccessKey", 18);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.enable_ssl2", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_ede3_192", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_64", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_fips_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_rc4_56_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_des_cbc_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc4_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc2_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_dss_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.default_personal_cert", "Select Automatically");
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_entering_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_leaving_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_submit_insecure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.OCSP.enabled", 0);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ui.enable", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("startup.homepage_override_url","chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.skin", "chrome://mozapps/content/extensions/extensions.xul?type=themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.chrome", "chrome://mozapps/content/extensions/extensions.xul?type=extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.skin", "Extension:Manager-themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.chrome", "Extension:Manager-extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.url.manual", "http://www.mozilla.org/products/firefox/");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.url.details", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.nagTimer.download", 86400);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.nagTimer.restart", 1800);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.url", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("keyword.URL", "http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage", "resource:/browserconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.defaulturl", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.1", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.2", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.basic.min_ver", "0.0");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.link.open_newwindow", 2);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.tabs.opentabfor.urlbar", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.autoload", 1); // 0 = Always, 1 = After first use, 2 = Never
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.provider", "http://www-rl.netscape.com/wtgn?");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.disabledForDomains", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.goBrowsing.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("dom.disable_window_open_feature.location", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("dom.disable_window_flip", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.trim_user_and_password", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.history", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.formdata", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.passwords", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.downloads", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.cookies", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.cache", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.siteprefs", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("privacy.item.sessions", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.cookie.enableForCurrentSessionOnly", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.cookie.denyRemovedCookies", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.throbber.url","chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("alerts.height", 50);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_entering_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_leaving_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_submit_insecure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.display.screen_resolution", 96);

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2008-1-4 587096]
R2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [2003-8-11 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2004-2-12 655482]
R3 NAVAP;NAVAP;\??\c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 224768]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081213.002\NAVENG.sys [2008-12-14 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081213.002\NAVEX15.sys [2008-12-14 876112]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\NSDriver.sys [2007-8-7 9344]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2008-11-25 10:08 1,409 a------- c:\windows\QTFont.for
2008-11-25 10:08 54,156 a---h--- c:\windows\QTFont.qfn

==================== Find3M ====================

2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-17 02:08 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-25 15:09 348,160 a------- c:\windows\system32\msvcr71.dll
2008-09-21 14:05 56,912 a------- c:\documents and settings\david\g2mdlhlpx.exe
2008-08-13 11:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072820080804\index.dat
2008-08-18 10:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081120080818\index.dat
2008-08-18 10:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat
2008-08-21 22:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 12:13:07.50 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/2/2004 10:42:28 PM
System Uptime: 12/17/2008 11:38:34 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2790/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 20.906 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

6200
6200_Help
6200Trb
Acrobat.com
Ad-Aware 2007
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
AiO_Scan
AiOSoftware
Banctec Service Agreement
Broadcom Management Programs
BufferChm
CardRd81
CCScore
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CR2
CreativeProjects
CreativeProjectsTemplates
CueTour
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
Dell Support Center (Support Software)
DellSupport
Destinations
DIGOpt
DIGReqEx
Director
DocProc
DocumentViewer
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
Fax
Filmmakers and Financing, 4e
GoToMeeting/GoToWebinar 3.0.0.198
Help and Support Customization
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
InstantShare
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Kodak EasyShare software
KSU
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (1.5.0.12)
MSN
MSN Connection Center
MSN Encarta Plus Support Files
MSN Messenger 6.2
MSN Money Investment Toolbox
MSN Money Investment Toolbox Beta
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
Notifier
OfotoXMI
OpenOffice.org 2.4
OTtBP
OTtBPSDK
PanoStandAlone
PhotoGallery
ProductContext
QFolder
QuickTime
Readme
RealPlayer
SanDisk TransferMate
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SFR
SFR2
SHASTA
SKIN0001
SkinsHP1
SKINXSDK
Skype™ 3.5
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
StreetSmart Pro
Symantec AntiVirus Client
TextBridge Pro 9.0
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
URGE
Verizon Online
Verizon Online Support Center
VPRINTOL
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
WordPerfect Office 12

==== Event Viewer Messages From Past Week ========

12/12/2008 12:26:49 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/15/2008 1:18:58 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
12/15/2008 1:18:58 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

Blade81
2008-12-17, 20:16
Hi

Please re-enable system restore. Even infected system restore point is better than no point at all.


You have way too old Firefox version installed there. Uninstall it and get the latest one here (http://www.mozilla.com/en-US/firefox/all.html).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version. Note: Uncheck MSN toolbar option if you don't want to install it.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). Post back its report.


We need to execute an OTMoveIt3 script
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop.
Double click theOTMoveIt3 icon on your desktop.
Paste the following code under the Paste Fix Here area. Do not include the word
Code
.

:Files
C:\Documents and Settings\david\Local Settings\Temp\tds.tmp

Push the large MoveIt button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

davidapsel
2008-12-17, 21:41
hi,

i made a typo when i originally wrote the name of the virus file. the correct name is:

C:\Documents and Settings\david\Local Settings\Temp\tds147.tmp

i assume that is the name i should paste. thanks.

davidapsel
2008-12-17, 22:44
hi,

i am running the kaspersky online scanner. it mostly came up as indicated in the screenshot, except that when i pressed settings, the correct settings came up, but the save option never came on. i assumed that the settings that came up were what was in fact set and i am running the scan. if there is a problem with anything that i did, please let me know. thanks

davidapsel
2008-12-18, 01:23
hi,

i have run the kaspersky scan and am pasting in the results. i have not yet done OTMoveIt3. i am not quite sure what this does so i will wait until you clarify the file name. should i just copy the instruction to a word document, alter it, and paste? thanks again for your help.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 17, 2008 17:31:21
Records in database: 1469879
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 88623
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:12:33


File name / Threat name / Threats count
C:\Documents and Settings\david\Local Settings\Temp\tds147.tmp Infected: Trojan.Win32.Patched.dw 1
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.b 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\newgetposted[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

The selected area was scanned.

Blade81
2008-12-18, 13:19
Hi

Yes, that file has to be removed. However, lets take the chance and add other bad findings to the script :santa:



:Files
C:\Documents and Settings\david\Local Settings\Temp\tds147.tmp
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\newgetposted[1].htm

davidapsel
2008-12-18, 18:27
hi,

i followed your instructions and will paste the results. does otmoveit delete the bad files? thanks.

========== FILES ==========
File move failed. C:\Documents and Settings\david\Local Settings\Temp\tds147.tmp scheduled to be moved on reboot.
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll unregistered successfully.
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll moved successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\newgetposted[1].htm moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12182008_110103

Files moved on Reboot...
C:\Documents and Settings\david\Local Settings\Temp\tds147.tmp moved successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:30 AM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9571 bytes

Blade81
2008-12-18, 18:33
Hi

Did you reboot the system after OtMoveIt run? Is the file still there after a reboot?

davidapsel
2008-12-18, 20:54
hi,

yes i did reboot which is indicated at the bottom of the otmoveit log with the heading "Files moved on Reboot...". i did a search and the tds147.tmp file seems to have been moved to

C:\_OTMoveIt\MovedFiles\12182008_110103\Documents and Settings\david\Local Settings\Temp\tds147.tmp

should i now try to delete the file? also, at the bottom of web pages, as the spybot page i am now working on, i often get "Done, but with errors on the page". is this related to the malware? can i get rid of these errors? thanks

Blade81
2008-12-18, 22:36
Probably some javascript related errors. Not malware related and I wouldn't be worried :santa:

We shall now uninstall OTMoveIT3. That will take away those moved objects too.


Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.


How's the system running now? Are you still getting alerts of infections?

davidapsel
2008-12-19, 02:49
hi,

thank you so much for your help. the system seems to run much better and symantec finds no infections. any suggestions on how to improve my security situation would be appreciated. thanks again.:)

Blade81
2008-12-19, 17:36
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



We need to re hide system files. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


Download Spybot
Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)
Spybot can be downloaded at this location (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Happy Holidays,
Blade :santa:

davidapsel
2008-12-20, 07:41
hi,

i do have one thing that is bothering me about the system (but i am not convinced that it is malware). my outlook express program, which i never use, spontaneously turns on (twice in the last week or so) and tries to send messages. at first i thought it was nothing, but something similiar happened on a computer that i often transfer data to with a memory stick. i don't know what i am doing to cause these things to happen. anyway, other than that the system seems fine.

i set the new restore point and protected operating system files to be hidden. can you explain what other hidden files are and why i want to see them. also, my internet explorer security options were almost exactly as you describe except navigate sub-frames across different domains is set at disable. i don't understand what this does.

i would like to download spybot, i know it is a very good system, but i thought that there was a conflict between my ad-watch program and the spybot tea timer (both real time protection).

thanks again for all your help. david :)

Blade81
2008-12-20, 13:35
i do have one thing that is bothering me about the system (but i am not convinced that it is malware). my outlook express program, which i never use, spontaneously turns on (twice in the last week or so) and tries to send messages. at first i thought it was nothing, but something similiar happened on a computer that i often transfer data to with a memory stick. i don't know what i am doing to cause these things to happen. anyway, other than that the system seems fine.
Has this happened after cleaning operation was finished?


i set the new restore point and protected operating system files to be hidden. can you explain what other hidden files are and why i want to see them.
Sometimes malware uses hidden files and in order to delete those files have to be visible. System files are normally hidden to ensure those are not deleted by accident.


also, my internet explorer security options were almost exactly as you describe except navigate sub-frames across different domains is set at disable. i don't understand what this does.
That's ok. You may have that option disabled as well.


i would like to download spybot, i know it is a very good system, but i thought that there was a conflict between my ad-watch program and the spybot tea timer (both real time protection).
You don't have to enable TeaTimer :santa:

davidapsel
2008-12-21, 06:52
hi,

as to question one, yes it happened once before (which actually prompted me to run symantec and find Backdoor.Tidserv!inf) and once after. ok to the rest of the comments. thanks again.:)

Blade81
2008-12-21, 12:33
Hi

So, if it's still happening it's better we run one more tool.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console for XP home edition first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

davidapsel
2008-12-22, 22:06
hi,

with all the warnings, i am being very cautious in setting up and running ComboFix. looking at the system properties i get

System:

Microsoft Windows XP
Home Edition
Version 2002
Service Pack 3

i also have an old reinstallation CD which i believe is the one for this machine,
which says:

Microsoft Windows XP Home Edition
Including Service Pack 1a

i think it would be better to just download Windows XP Home Edition SP2 (please confirm that this is the one that i have to download) from the microsoft website. thanks again.:)

Blade81
2008-12-22, 22:11
Hi

When you run ComboFix it should suggest recovery console installation and get suitable one automatically if approved.

davidapsel
2008-12-23, 06:41
hi,

i have followed your instructions and ran combofix and i am pasting the results at the end of the message along with the hjt log. after substantial processing, combofix rebooted my computer, which brought up my realtime antivirus and antispyware programs, after which combofix continued to process (i believe it was preparing the log report). i am assuming that the kind of stuff that could do damage is done before the boot. if not, how do i know what was done and what to do about it? thanks again for your help. david

ComboFix 08-12-21.04 - david 2008-12-22 22:26:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.80 [GMT -5:00]
Running from: c:\documents and settings\david\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\Temp
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-17 14:10 . 2008-12-17 14:09 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-17 14:10 . 2008-12-17 14:09 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 15:35 --------- d-----w c:\documents and settings\david\Application Data\OpenOffice.org2
2008-12-20 01:35 --------- d-----w c:\documents and settings\david\Application Data\U3
2008-12-17 19:09 --------- d-----w c:\program files\Java
2008-12-12 16:48 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-12 04:13 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-21 19:05 56,912 ----a-w c:\documents and settings\david\g2mdlhlpx.exe
2008-08-13 16:42 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008072820080804\index.dat
2008-08-18 15:20 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080818\index.dat
2008-08-18 15:39 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
2008-08-22 03:28 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-10-08 131072]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-02-12 90224]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2004-10-08 53248]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2005-07-06 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-27 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"InstantAccess"="c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [2000-06-19 31744]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-25 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]

c:\documents and settings\david\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-01 176128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2006-02-13 110592]
Verizon Online Support Center.lnk - c:\program files\Verizon Online\bin\matcli.exe [2005-07-05 204800]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Schwab\\SSPro\\SSPro.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2bed3eb-c3a0-11db-8588-000f1f80f4da}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>;127.0.0.1
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html -

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 22:36:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-aware 2007\aawservice.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\Verizon Online\bin\mpbtn.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-12-22 22:49:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-23 03:49:23

Pre-Run: 23,107,317,760 bytes free
Post-Run: 23,618,228,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

143 --- E O F --- 2008-12-19 06:36:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:26 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9452 bytes

Blade81
2008-12-23, 12:09
Hi

Looks like the run went ok. Are you still having problems with Outlook?

davidapsel
2008-12-23, 21:06
hi,

i have not had any problems with outlook since the one i already reported, and my computer seems to run fine. i noticed that combofix deleted some items, were they malware? do i need to do anything with my other computer (actually my wife's computer) which i often share data with using a memory stick. indeed, do i have to do anything with the memory stick. thanks again for all your help. david :)

Blade81
2008-12-23, 21:44
Hi

Yes, those were bad items that CF removed. You could scan the memory stick with Kaspersky online scanner to see if there's anything bad on it.

Let's remove ComboFix now.


Click START then RUN
Now type Combofix /u in the runbox and click OK


If there's nothing else wrong then I suggest to follow those tips I gave a bit earlier :santa:

davidapsel
2008-12-25, 04:45
hi,

i ran kaspersky with my memory stick in the computer, and everything seems clean (i will paste the results). i guess my only question is whether the bad stuff removed by combofix was responsible for outlook and whether i should run combofix (with memory stick) on my other computer. everything else is great. thanks again and happy holidays. david :)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 01:11:44
Records in database: 1507057
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 80595
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:57:12

No malware has been detected. The scan area is clean.

The selected area was scanned.

Blade81
2008-12-25, 10:36
Hi

I think ComboFix took care of that Outlook problem. If the other system is working without problems then I see no reason to run any fixes on it.

Merry Christmas :santa:

davidapsel
2008-12-26, 04:51
hi,

ok. thanks for all your help, it's nice to have a clean system. happy hollidays. david:)

Blade81
2008-12-26, 11:47
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :santa:

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.