View Full Version : TIBS, TORPIG and SMITFRAUD.C
Raymond D
2006-11-07, 09:14
Here's the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:03:04 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1127405634\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\AOL\1127405634\ee\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\1127405634\ee\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\common files\aol\1127405634\ee\services\sscAntiSpywarePlugin\ver1_205_1_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127405634\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
c:\program files\common files\aol\1127405634\ee\aolssc.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Shessy\My Documents\Unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://update.charter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127405634\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1127405634\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [dmhkt.exe] C:\WINDOWS\system32\dmhkt.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4886/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{960017F8-5DA5-40AE-8C8F-399A75CF386D}: NameServer = 85.255.113.149,85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3642154-8E25-4CBE-99A9-57B6FA706A46}: NameServer = 85.255.113.149,85.255.112.218
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.149 85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.149 85.255.112.218
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1127405634\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
The log from the online spyware checker is too long -- I'll post in next thread.
Thanks
Raymond D
2006-11-07, 09:19
Here's the first part of log from (I think) Pandawatch (?). It's so long I'll have to post in three threads
Incident Status Location
Adware:adware/secure32 Not disinfected c:\windows\system32\intell321.exe
Adware:adware/cws.searchmeup Not disinfected c:\windows\kl.exe
Adware:adware/cws Not disinfected c:\windows\tool2.exe
Adware:adware/webattaker Not disinfected c:\windows\uniq
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@2o7[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@advertising[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@ccbill[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@centrport[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@cgi-bin[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@counter1.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@counter4.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@counter6.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@counter7.sextracker[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@hg1.hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@hitbox[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@kinghost[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@maxserving[1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@paycounter[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@sexlist[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@sextracker[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@stat.onestat[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@webpower[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Baron atticus\Cookies\baron atticus@xxxcounter[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Guest\Cookies\guest@maxserving[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@ccbill[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@counter14.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@counter15.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@counter16.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@counter4.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@counter7.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@cs.sexcounter[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@kinghost[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@maxserving[1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@paycounter[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@sextracker[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@webpower[2].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\guest I\Cookies\guest i@xxxcounter[1].txt
Raymond D
2006-11-07, 09:21
Part II of Online scan:
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Im Atticus. Im a Cat\Cookies\im atticus. im a cat@2o7[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Im Atticus. Im a Cat\Cookies\im atticus. im a cat@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Im Atticus. Im a Cat\Cookies\im atticus. im a cat@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Im Atticus. Im a Cat\Cookies\im atticus. im a cat@doubleclick[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Im Atticus. Im a Cat\Cookies\im atticus. im a cat@maxserving[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ray\Cookies\ray@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ray\Cookies\ray@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ray\Cookies\ray@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ray\Cookies\ray@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Ray\Cookies\ray@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Ray\Cookies\ray@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ray\Cookies\ray@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ray\Cookies\ray@atwola[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Ray\Cookies\ray@bfast[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Ray\Cookies\ray@casalemedia[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Ray\Cookies\ray@ccbill[2].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Ray\Cookies\ray@centrport[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ray\Cookies\ray@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter.hitslink[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter1.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter10.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter15.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter2.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter3.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter4.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@counter7.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Ray\Cookies\ray@cs.sexcounter[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Ray\Cookies\ray@data.coremetrics[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ray\Cookies\ray@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ray\Cookies\ray@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ray\Cookies\ray@hg1.hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ray\Cookies\ray@hitbox[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Ray\Cookies\ray@kinghost[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Ray\Cookies\ray@kount[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Ray\Cookies\ray@maxserving[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ray\Cookies\ray@mediaplex[1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Ray\Cookies\ray@paycounter[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Ray\Cookies\ray@paypopup[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ray\Cookies\ray@perf.overture[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ray\Cookies\ray@phg.hitbox[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Ray\Cookies\ray@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ray\Cookies\ray@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ray\Cookies\ray@realmedia[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ray\Cookies\ray@servedby.advertising[2].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Ray\Cookies\ray@sexlist[2].txt
Raymond D
2006-11-07, 09:23
Here is Part III (last part of online scan)
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ray\Cookies\ray@sextracker[1].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Ray\Cookies\ray@spywarestormer[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ray\Cookies\ray@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ray\Cookies\ray@tribalfusion[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Ray\Cookies\ray@valueclick[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ray\Cookies\ray@xiti[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Ray\Cookies\ray@xxxcounter[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Ray\Cookies\ray@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ray\Cookies\ray@zedo[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@atwola[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@c.enhance[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@c.goclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@doubleclick[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@findwhat[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@hitbox[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@serving-sys[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@www.burstbeacon[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Raymond\Cookies\raymond@zedo[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@burstnet[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@doubleclick[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@findwhat[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@serving-sys[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@www.burstbeacon[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Shessy\Cookies\shessy@www48.seeq[1].txt
Possible Virus. Not disinfected C:\WINDOWS\uninstDsk.exe
I've updated and tried to delete with spybot several times. Your help is greatly appreciated.
Thanks
Hi Raymond D and welcome to the forums :)
Please post all your replies to this topic, do not start new ones....
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
Raymond D
2006-11-07, 18:04
And here is the HiJackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 9:47:43 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1127405634\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\1127405634\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\1127405634\ee\aolsoftware.exe
c:\program files\common files\aol\1127405634\ee\aolssc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\common files\aol\1127405634\ee\services\sscAntiSpywarePlugin\ver1_205_1_1\AOLSP Scheduler.exe
C:\DOCUME~1\Shessy\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127405634\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1127405634\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4886/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{960017F8-5DA5-40AE-8C8F-399A75CF386D}: NameServer = 85.255.113.149,85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3642154-8E25-4CBE-99A9-57B6FA706A46}: NameServer = 85.255.113.149,85.255.112.218
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.149 85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.149 85.255.112.218
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1127405634\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
And here is the fixwareout report
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmboo.exe"=-
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMBOO.EXE 61,025 2004-08-04
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
However, when I ran spybot again, TIBS, TORPIG and SMITFRAUD.C still came up, and spybot was unable to fix them. Should I be concerned?
Thanks for your help. :)
Hi again, we'll continue :)
You have MyWaySA installed. The program has a suspicious reputation and I recommend that you remove it.
If you want to keep it, skip the BLUE steps
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download HijackThis to your desktop from here -> HijackThis 1.99.1 (http://downloads.malwareremoval.com/HijackThis.exe)
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Then, make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:
MyWaySA
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{960017F8-5DA5-40AE-8C8F-399A75CF386D}: NameServer = 85.255.113.149,85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3642154-8E25-4CBE-99A9-57B6FA706A46}: NameServer = 85.255.113.149,85.255.112.218
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.149 85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.149 85.255.112.218
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\SYSTEM32\DMBOO.EXE
Go to the My Computer and delete the following folders (if present):
C:\Program Files\MyWaySA
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.
Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
================
When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log
- blacklight log
Still there Raymond D ? :scratch:
Raymond D this topic is closed due to lack of a response to helper, :spider: if you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.