Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > whataboutadog and backdoor trojan

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

whataboutadog and backdoor trojan

Reply to Message Icon

Name: jnjmacaulay
Date: November 14, 2007 at 18:29:18 Pacific
OS: XP
CPU/Ram: 512MB
Product: Dell Demension 8400
Comment:

Last week it was whataboutadog and this week it is backdoor Backdoor:Win32/Zonebac.gen!B
I have had no luck with getting rid of these... I think the dog is sleeping but hasn't left. Can you help??


John and Jennie



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: November 14, 2007 at 18:59:24 Pacific
Reply:

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download FindAWL from this link FindAWF

Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.


0

Response Number 2
Name: jnjmacaulay
Date: November 14, 2007 at 19:12:11 Pacific
Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:03 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlbtcoms.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.exe
C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\DLBTPSWX.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [RegistrySmart] C:\Program Files\RegistrySmart\RegistrySmart.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-833378525-3805918845-1372544172-1013\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'JASON')
O4 - HKUS\S-1-5-21-833378525-3805918845-1372544172-1013\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime (User 'JASON')
O4 - HKUS\S-1-5-21-833378525-3805918845-1372544172-1013\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'JASON')
O4 - HKUS\S-1-5-21-833378525-3805918845-1372544172-1013\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'JASON')
O4 - HKUS\S-1-5-21-833378525-3805918845-1372544172-1013\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" (User 'JASON')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/open... (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball...
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/as...
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/as...
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofi...
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&4&04.00.09.13&premium&unknown&http://www.toyota.com/vehicles/2007/sequoia/key_features/int360.html?noreloadredir
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v1...
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOu...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovi...
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://software-dl.real.com/23b881d...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v1...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishAc...
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames.aavalue.com/LF...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsou...
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v1...
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/dow...
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagame...
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v1...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playgames.comcast.net/online...
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc02.custhelp.com/7560-b440h-turbotax__promote/rnl/java/RntX.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 15871 bytes


John and Jennie


0

Response Number 3
Name: jnjmacaulay
Date: November 14, 2007 at 19:18:38 Pacific
Reply:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 11/14/2007
The current time is: 22:10:42.70


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLPH~1\BAK

03/29/2004 07:12 PM 290,816 dlbtbmgr.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 10:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/29/2005 07:13 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 12:52 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\AWS\WEATHE~1\BAK

06/07/2005 12:58 PM 1,339,392 Weather.exe
1 File(s) 1,339,392 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

08/23/2004 06:19 PM 57,344 DVDLauncher.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004 08:15 PM 290,816 PCMService.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\INTEL\INTELA~1\BAK

03/23/2004 12:16 PM 135,168 iaanotif.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/04/2007 01:33 AM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

01/19/2006 10:06 AM 11,776 mimboot.exe
01/19/2006 10:06 AM 110,592 mm_tray.exe
2 File(s) 122,368 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

04/24/2002 08:37 PM 1,544,192 tgcmd.exe
1 File(s) 1,544,192 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 01:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 05:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\4.BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 18 2007 "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
290816 Mar 29 2004 "C:\Program Files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe"
26636 Oct 18 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
26636 Oct 18 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
26636 Oct 18 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Oct 29 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
26636 Oct 18 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
26636 Oct 18 2007 "C:\Program Files\AWS\WeatherBug\Weather.exe"
1339392 Jun 7 2005 "C:\Program Files\AWS\WeatherBug\bak\Weather.exe"
26636 Oct 18 2007 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
57344 Aug 23 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
26636 Oct 18 2007 "C:\Program Files\Dell\Media Experience\PCMService.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
26636 Oct 18 2007 "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
135168 Mar 23 2004 "C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe"
26636 Oct 18 2007 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
26636 Oct 18 2007 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe"
11776 Feb 20 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe"
11776 Jan 19 2006 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe"
26636 Oct 18 2007 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
110592 Feb 20 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
110592 Jan 19 2006 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
26636 Oct 18 2007 "C:\Program Files\support.com\bin\tgcmd.exe"
1544192 Apr 24 2002 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
26636 Oct 18 2007 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
26636 Oct 18 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
26636 Oct 18 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
26636 Oct 18 2007 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"


end of report


John and Jennie


0

Response Number 4
Name: jabuck
Date: November 14, 2007 at 19:59:37 Pacific
Reply:

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe"
"C:\Program Files\DellSupport\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\AWS\WeatherBug\bak\Weather.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
"C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
"C:\Program Files\support.com\bin\bak\tgcmd.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Your java is out of date and can be exploited.

Download the latest version of http://java.sun.com/javase/downloads/index.jsp

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".

Click the "Download" button to the right.

Check the box that says: "Accept License Agreement". The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.

Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed

. Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.


0

Response Number 5
Name: jnjmacaulay
Date: November 14, 2007 at 21:02:05 Pacific
Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 11/14/2007
The current time is: 23:54:28.89


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLPH~1\BAK

03/29/2004 07:12 PM 290,816 dlbtbmgr.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 10:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/29/2005 07:13 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 12:52 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\AWS\WEATHE~1\BAK

06/07/2005 12:58 PM 1,339,392 Weather.exe
1 File(s) 1,339,392 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

08/23/2004 06:19 PM 57,344 DVDLauncher.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004 08:15 PM 290,816 PCMService.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\INTEL\INTELA~1\BAK

03/23/2004 12:16 PM 135,168 iaanotif.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/04/2007 01:33 AM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

01/19/2006 10:06 AM 11,776 mimboot.exe
01/19/2006 10:06 AM 110,592 mm_tray.exe
2 File(s) 122,368 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

04/24/2002 08:37 PM 1,544,192 tgcmd.exe
1 File(s) 1,544,192 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 01:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 05:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\4.BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

290816 Mar 29 2004 "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
290816 Mar 29 2004 "C:\Program Files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
26636 Oct 18 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Oct 29 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
1339392 Jun 7 2005 "C:\Program Files\AWS\WeatherBug\Weather.exe"
1339392 Jun 7 2005 "C:\Program Files\AWS\WeatherBug\bak\Weather.exe"
57344 Aug 23 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
57344 Aug 23 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\PCMService.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
135168 Mar 23 2004 "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
135168 Mar 23 2004 "C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
11776 Jan 19 2006 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe"
11776 Feb 20 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe"
11776 Jan 19 2006 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe"
110592 Jan 19 2006 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
110592 Feb 20 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
110592 Jan 19 2006 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
1544192 Apr 24 2002 "C:\Program Files\support.com\bin\tgcmd.exe"
1544192 Apr 24 2002 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"


end of report


John and Jennie


0

Related Posts

See More



Response Number 6
Name: jabuck
Date: November 15, 2007 at 03:42:32 Pacific
Reply:

Option 3:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:


C:\Program Files\Dell Photo AIO Printer 922\bak
C:\Program Files\DellSupport\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\AWS\WeatherBug\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Intel\Intel Application Accelerator\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak
C:\Program Files\support.com\bin\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Java\j2re1.4.2_03\bin\bak

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.


Next Option 4.


Option 4:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Next,

Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.


0

Response Number 7
Name: jnjmacaulay
Date: November 15, 2007 at 07:19:18 Pacific
Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 2007-11-15
The current time is: 10:08:52.14


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

2005-10-29 19:13 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\4.BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 18 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Oct 29 2005 "C:\Program Files\QuickTime\bak\qttask.exe"


John and Jennie


0

Response Number 8
Name: jnjmacaulay
Date: November 15, 2007 at 07:35:58 Pacific
Reply:

ComboFix 07-11-08.1 - Jennie Macaulay 2007-11-15 10:22:33.1 - NTFSx86
Running from: C:\Documents and Settings\Jennie Macaulay\Local Settings\Temporary Internet Files\Content.IE5\RYN9UWY5\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Starware358
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\celebrity_news.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\celebrity_search.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware358\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware358\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware358\contexts\travel.xml
C:\Documents and Settings\Jessica Macaulay\Application Data\SpamBlocker
C:\Documents and Settings\Jessica Macaulay\Application Data\SpamBlocker\{DFF16927-88E6-4EAA-A097-460B7E65289B}.dat
C:\Documents and Settings\Jessica Macaulay\Application Data\SpamBlockerUtility
C:\Documents and Settings\Jimmy Macaulay\Application Data\SpamBlockerUtility
C:\Documents and Settings\Johnny Macaulay\Application Data\macromedia\Flash Player\#SharedObjects\S6WKSQSH\www.broadcaster.com
C:\Documents and Settings\Johnny Macaulay\Application Data\macromedia\Flash Player\#SharedObjects\S6WKSQSH\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Johnny Macaulay\Application Data\macromedia\Flash Player\#SharedObjects\S6WKSQSH\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Johnny Macaulay\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Johnny Macaulay\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Johnny Macaulay\Application Data\SpamBlocker
C:\Documents and Settings\Johnny Macaulay\Application Data\SpamBlocker\{DFF16927-88E6-4EAA-A097-460B7E65289B}.dat
C:\Documents and Settings\Johnny Macaulay\Application Data\SpamBlockerUtility
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Cache\[u]0[/u]540BFAD.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini
C:\Program Files\FunWebProducts\ScreenSaver\Images\[u]0[/u]53B8888.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\[u]0[/u]540BAFA.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\[u]0[/u]540C25C.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\[u]0[/u]5420B28.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\[u]0[/u]540C25C.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\[u]0[/u]5420B28.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignatureInsertBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\4.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\4.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3SCHMON.exe
C:\Program Files\MyWebSearch\bar\4.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\4.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\4.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\4.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\4.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3SKPLAY.exe
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\4.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0305A2C.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0305AC8.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0305B74.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0305CAD.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0305DA7.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D396.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D4A0.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D52D.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D5E8.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D6B3.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D78E.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D83A.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B6D8C6.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0E937BC.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]4F7E6EF
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]6D4A9A7.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]AED9621.bin
C:\Program Files\MyWebSearch\bar\Cache\10690ACC.bin
C:\Program Files\MyWebSearch\bar\Cache\16712C09
C:\Program Files\MyWebSearch\bar\Cache\167B2756
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.htm.bak
C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
C:\Program Files\Starware358
C:\Program Files\Starware358\brand.bmp
C:\Program Files\Starware358\icons\star_16.ico
C:\Program Files\Starware358\Starware358Config.xml
C:\WINDOWS\system32\f3PSSavr.scr

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 10:05 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 21:14 3,894 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-14 21:13 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-14 21:13 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-14 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-14 21:13 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-14 21:13 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-14 21:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-12 10:52 <DIR> d-------- C:\Documents and Settings\Jimmy Macaulay\Application Data\RegistrySmart
2007-11-09 18:13 <DIR> d-------- C:\Documents and Settings\Johnny Macaulay\Application Data\RegistrySmart
2007-11-09 17:16 <DIR> d-------- C:\Documents and Settings\JASON\Application Data\RegistrySmart
2007-11-09 16:36 <DIR> d-------- C:\Documents and Settings\Jessica Macaulay\Application Data\RegistrySmart
2007-11-09 08:04 <DIR> d-------- C:\Documents and Settings\Jennie Macaulay\Application Data\SUPERAntiSpyware.com
2007-11-09 07:53 201,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-11-09 07:53 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-11-09 07:53 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-11-09 07:53 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-11-09 07:53 33,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-11-09 07:33 <DIR> d-------- C:\Documents and Settings\Jennie Macaulay\Application Data\RegistrySmart
2007-11-08 21:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-08 21:57 <DIR> d-------- C:\Documents and Settings\John Macaulay\Application Data\SUPERAntiSpyware.com
2007-11-08 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-08 21:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 21:50 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-08 21:50 <DIR> d-------- C:\Documents and Settings\John Macaulay\Application Data\RegistrySmart
2007-10-28 15:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-27 09:11 <DIR> d-------- C:\Program Files\Zune
2007-10-27 09:11 <DIR> d-------- C:\Program Files\DIFX
2007-10-27 09:11 <DIR> d-------- C:\Program Files\Common Files\ComponentOne

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 15:31 --------- d-----w C:\Documents and Settings\Jennie Macaulay\Application Data\WeatherBug
2007-11-15 14:13 --------- d-----w C:\Program Files\iTunes
2007-11-15 14:13 --------- d-----w C:\Program Files\DellSupport
2007-11-15 14:13 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-11-15 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 05:18 --------- d-----w C:\Program Files\Java
2007-11-13 11:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-09 15:22 --------- d-----w C:\Program Files\iWin.com
2007-11-09 14:13 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-09 12:59 --------- d-----w C:\Program Files\McAfee.com
2007-11-09 12:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-09 12:54 --------- d-----w C:\Program Files\McAfee
2007-11-09 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-19 15:20 --------- d-----w C:\Program Files\Coupons
2007-10-19 01:01 --------- d-----w C:\Program Files\QuickTime
2007-10-18 15:31 --------- d-----w C:\Documents and Settings\Johnny Macaulay\Application Data\WeatherBug
2007-10-18 15:27 --------- d-----w C:\Documents and Settings\John Macaulay\Application Data\WeatherBug
2007-10-08 02:12 --------- d-----w C:\Documents and Settings\Jessica Macaulay\Application Data\WeatherBug
2007-10-04 19:55 --------- d-----w C:\Documents and Settings\Jimmy Macaulay\Application Data\WeatherBug
2007-10-02 08:47 --------- d-----w C:\Program Files\MFInstall
2007-10-01 23:33 --------- d-----w C:\Documents and Settings\JASON\Application Data\Corel
2007-09-23 21:38 --------- d-----w C:\Program Files\Real
2006-06-28 17:31 9,583,368 -c--a-w C:\Documents and Settings\Jessica Macaulay\DesktopDoctor1.5.1.exe
2006-04-27 03:54 9,583,368 -c--a-w C:\Documents and Settings\Johnny Macaulay\DesktopDoctor1.5.1.exe
2006-02-10 06:00 9,516,504 -c--a-w C:\Documents and Settings\Johnny Macaulay\DesktopDoctor1.0.exe
2005-09-24 15:56 9,516,504 -c--a-w C:\Documents and Settings\Jimmy Macaulay\DesktopDoctor1.0.exe
2007-08-01 02:55:15 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007073120070801\index.dat
2007-08-02 00:44:11 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080120070802\index.dat
2007-08-02 23:08:01 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080220070803\index.dat
2007-08-07 02:20:22 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080620070807\index.dat
2007-08-08 12:31:49 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080820070809\index.dat
2007-08-14 01:21:46 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007081320070814\index.dat
2007-08-14 19:40:36 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007081420070815\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}]
C:\WINDOWS\COUPON~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 18:19]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 10:06]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 20:37]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2005-10-29 19:13]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 10:06]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03]
"RegistrySmart"="C:\Program Files\RegistrySmart\RegistrySmart.exe" [2007-10-16 15:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2005-06-07 12:58]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 09:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DG3QCY51-Jennie Macaulay).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-11-11 01:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DG3QCY51-Jimmy Macaulay).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-11-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-11-01 05:00:00 C:\WINDOWS\Tasks\McQcTask.job"
"2007-11-15 15:31:48 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 10:32:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 10:33:50 - machine was rebooted
.
--- E O F ---


John and Jennie


0

Response Number 9
Name: jnjmacaulay
Date: November 15, 2007 at 13:35:52 Pacific
Reply:

something is working right because programs are working now that weren't before... weatherbug for one. Is there more we need to do? Thank you so much for all of your help. I really appreciate it.

John and Jennie


0

Response Number 10
Name: jabuck
Date: November 15, 2007 at 14:22:27 Pacific
Reply:

Weatherbug is a baddie.

Go to start> control panel> add/remove programs and uninstall these programs if found:

Weatherbug

MyWebSearch

Dell MyWay Search Assistant

Next run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following itwms and press "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsou...

Exit Hijack This.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\QuickTime\bak\qttask.exe"

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Option 3:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:


C:\Program Files\QuickTime\bak

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.


Next Option 4.


Option 4:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Next,

Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.

Post a new Hijack This log and a new Combofix log please.




0

Response Number 11
Name: jnjmacaulay
Date: November 15, 2007 at 18:05:33 Pacific
Reply:

I have weatherbug companion powered by mysearch and it will not let me remove it. It says rundll is missing.

John and Jennie


0

Response Number 12
Name: jabuck
Date: November 15, 2007 at 18:19:28 Pacific
Reply:

This will help find the program needing to be uninstalled.

Run Hijack This> click "open the misc. tool section"> click "open uninstall manager"> click "save list"> click "save"> click "yes"> post that log please.


0

Response Number 13
Name: jnjmacaulay
Date: November 15, 2007 at 18:26:54 Pacific
Reply:

18 Wheels of Steel Pedal to the Metal
ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
Aquatica Waterworlds
ArcSoft Software Suite
ATI Control Panel
ATI Display Driver
AutoCAD 2005 - English
Autodesk DWF Viewer
Backyard Football 2002
Banctec Service Agreement
Before You Know It
Before You Know It 3.5 Lite
Big Fish Games Client
Broadcom Advanced Control Suite 2
Bubble Golden Pack v2.0
Compton's Interactive Encyclopedia 2000
Construction City
Coupon Printer for Windows
CouponBar
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
DellSupport
ebgcInfra
ebgcRes
ebgcSDK
FreeSpell+ProSpell (remove only)
G4a922EN
Google Earth
Harry Potter Print Studio
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ICQ 5
ieSpell 2.1.1 (build 325)
Intel Application Accelerator
Intel(R) 537EP V9x DF PCI Modem
Internet Explorer Default Page
iTunes
iWin Games (remove only)
Jane's Combat Simulations F/A-18
Jasc Paint Shop Photo Album
Java(TM) 6 Update 3
Learn2 Player (Uninstall Only)
Livery Installer 101
Lyra Jukebox Applications
Mah Jong Quest (remove only)
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
My DSC
NetZeroInstallers
OTOY
PowerDVD 5.3
QuickTime
RealArcade
RealPlayer
RegistrySmart
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SEE Cram Demo
SolidWorks 2001Plus
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SUPERAntiSpyware Free Edition
TaxACT 2005 Preparer's - 1040 Edition
TaxACT 2006
TaxACT 2006 Preparer's - 1040 Edition
TaxACT Arizona 2006
TaxACT Indiana 2006
TaxACT Maryland 2006
TaxACT Montana 2006
TaxACT Oklahoma 2006
TaxACT Pennsylvania 2005
TaxACT Pennsylvania 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
URGE
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
VistaPrint Electronic Business Card
Wal-Mart Digital Photo Manager
WeatherBug Companion - powered by MySearch
Who Wants To Be A Millionaire
WildTangent Web Driver
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WordPerfect Office 12
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v7
Zune

John and Jennie


0

Response Number 14
Name: jnjmacaulay
Date: November 15, 2007 at 18:52:40 Pacific
Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Thu 11/15/2007
The current time is: 21:20:05.17


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

10/29/2005 07:13 PM 155,648 qttask.exe
1 File(s) 155,648 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Oct 29 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Oct 29 2005 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report



Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/15/2007
The current time is: 21:33:50.70


bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

ComboFix 07-11-08.1 - Jennie Macaulay 2007-11-15 21:43:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.246 [GMT -5:00]
Running from: C:\Documents and Settings\Jennie Macaulay\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 10:05 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 21:14 3,894 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-14 21:13 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-14 21:13 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-14 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-14 21:13 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-14 21:13 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-14 21:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-12 10:52 <DIR> d-------- C:\Documents and Settings\Jimmy Macaulay\Application Data\RegistrySmart
2007-11-09 18:13 <DIR> d-------- C:\Documents and Settings\Johnny Macaulay\Application Data\RegistrySmart
2007-11-09 17:16 <DIR> d-------- C:\Documents and Settings\JASON\Application Data\RegistrySmart
2007-11-09 16:36 <DIR> d-------- C:\Documents and Settings\Jessica Macaulay\Application Data\RegistrySmart
2007-11-09 08:04 <DIR> d-------- C:\Documents and Settings\Jennie Macaulay\Application Data\SUPERAntiSpyware.com
2007-11-09 07:53 201,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-11-09 07:53 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-11-09 07:53 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-11-09 07:53 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-11-09 07:53 33,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-11-09 07:33 <DIR> d-------- C:\Documents and Settings\Jennie Macaulay\Application Data\RegistrySmart
2007-11-08 21:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-08 21:57 <DIR> d-------- C:\Documents and Settings\John Macaulay\Application Data\SUPERAntiSpyware.com
2007-11-08 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-08 21:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 21:50 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-08 21:50 <DIR> d-------- C:\Documents and Settings\John Macaulay\Application Data\RegistrySmart
2007-10-28 15:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-27 09:11 <DIR> d-------- C:\Program Files\Zune
2007-10-27 09:11 <DIR> d-------- C:\Program Files\DIFX
2007-10-27 09:11 <DIR> d-------- C:\Program Files\Common Files\ComponentOne

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 02:33 --------- d-----w C:\Program Files\QuickTime
2007-11-16 01:34 --------- d-----w C:\Documents and Settings\Jessica Macaulay\Application Data\WeatherBug
2007-11-15 21:41 --------- d-----w C:\Documents and Settings\Johnny Macaulay\Application Data\WeatherBug
2007-11-15 19:31 --------- d-----w C:\Documents and Settings\Jimmy Macaulay\Application Data\WeatherBug
2007-11-15 14:13 --------- d-----w C:\Program Files\iTunes
2007-11-15 14:13 --------- d-----w C:\Program Files\DellSupport
2007-11-15 14:13 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-11-15 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 05:18 --------- d-----w C:\Program Files\Java
2007-11-13 11:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-09 15:22 --------- d-----w C:\Program Files\iWin.com
2007-11-09 14:13 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-09 12:59 --------- d-----w C:\Program Files\McAfee.com
2007-11-09 12:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-09 12:54 --------- d-----w C:\Program Files\McAfee
2007-11-09 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-19 15:20 --------- d-----w C:\Program Files\Coupons
2007-10-18 15:27 --------- d-----w C:\Documents and Settings\John Macaulay\Application Data\WeatherBug
2007-10-02 08:47 --------- d-----w C:\Program Files\MFInstall
2007-10-01 23:33 --------- d-----w C:\Documents and Settings\JASON\Application Data\Corel
2007-09-23 21:38 --------- d-----w C:\Program Files\Real
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2006-06-28 17:31 9,583,368 -c--a-w C:\Documents and Settings\Jessica Macaulay\DesktopDoctor1.5.1.exe
2006-04-27 03:54 9,583,368 -c--a-w C:\Documents and Settings\Johnny Macaulay\DesktopDoctor1.5.1.exe
2006-02-10 06:00 9,516,504 -c--a-w C:\Documents and Settings\Johnny Macaulay\DesktopDoctor1.0.exe
2005-09-24 15:56 9,516,504 -c--a-w C:\Documents and Settings\Jimmy Macaulay\DesktopDoctor1.0.exe
2007-08-01 02:55:15 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007073120070801\index.dat
2007-08-02 00:44:11 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080120070802\index.dat
2007-08-02 23:08:01 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080220070803\index.dat
2007-08-07 02:20:22 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080620070807\index.dat
2007-08-08 12:31:49 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007080820070809\index.dat
2007-08-14 01:21:46 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007081320070814\index.dat
2007-08-14 19:40:36 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012007081420070815\index.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-15_10.33.14.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-15 13:14:36 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2007-11-15 23:43:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2007-11-15 13:14:36 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-15 23:43:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-15 13:14:36 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-15 23:43:10 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 18:19]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 10:06]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 20:37]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" []
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 10:06]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03]
"RegistrySmart"="C:\Program Files\RegistrySmart\RegistrySmart.exe" [2007-10-16 15:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 09:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DG3QCY51-Jennie Macaulay).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-11-11 01:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DG3QCY51-Jimmy Macaulay).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-11-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-11-01 05:00:00 C:\WINDOWS\Tasks\McQcTask.job"
"2007-11-16 01:58:29 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 21:46:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 21:49:21
C:\ComboFix2.txt ... 2007-11-15 10:33
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:29 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [RegistrySmart] C:\Program Files\RegistrySmart\RegistrySmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/open... (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball...
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/as...
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/as...
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofi...
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&4&04.00.09.13&premium&unknown&http://www.toyota.com/vehicles/2007/sequoia/key_features/int360.html?noreloadredir
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v1...
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOu...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovi...
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://software-dl.real.com/23b881d...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v1...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishAc...
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames.aavalue.com/LF...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v1...
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/dow...
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagame...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1....
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v1...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playgames.comcast.net/online...
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc02.custhelp.com/7560-b440h-turbotax__promote/rnl/java/RntX.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14370 bytes


John and Jennie


0

Response Number 15
Name: jabuck
Date: November 15, 2007 at 18:53:32 Pacific
Reply:

Go to add/remove programs and uninstall "coupons".

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\Documents and Settings\Jennie Macaulay\Application Data\WeatherBug
C:\Program Files\Coupons
C:\Documents and Settings\Johnny Macaulay\Application Data\WeatherBug
C:\Documents and Settings\John Macaulay\Application Data\WeatherBug
C:\Documents and Settings\Jessica Macaulay\Application Data\WeatherBug
C:\Program Files\AWS

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Go to add/remove progarms and try to uninstall "WeatherBug Companion - powered by MySearch".


0

Response Number 16
Name: jnjmacaulay
Date: November 15, 2007 at 19:21:53 Pacific
Reply:

OK... I did all that and still not able to remove weatherbug companion. The exact error is: Error Loading C:\PROGRA~1\MySearch\bar\1.bin\s4bar.dll The specified module could not be found.
Also, Coupon bar is still there in add/remove programs. There is no size information or support information. When I click on change/remove it just goes nowhere.. nothing happens.
Thanks

John and Jennie


0

Response Number 17
Name: jabuck
Date: November 15, 2007 at 19:45:05 Pacific
Reply:

Navigate to and delete these files if found :

C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

c:\WINDOWS\s4Setp.exe

Then navigate to and delete this folder if found:

C:\Program Files\MySearch


0

Response Number 18
Name: jnjmacaulay
Date: November 15, 2007 at 19:58:48 Pacific
Reply:

found C:\Program Files\MySearch and deleted it


John and Jennie


0

Response Number 19
Name: jabuck
Date: November 15, 2007 at 20:05:07 Pacific
Reply:

Did that help.


0

Response Number 20
Name: jnjmacaulay
Date: November 15, 2007 at 20:07:31 Pacific
Reply:

same as response number 16

John and Jennie


0

Response Number 21
Name: jabuck
Date: November 15, 2007 at 20:35:09 Pacific
Reply:

If you feel comfortable editing the registry manually do the following:

Go to start> run type in regedit> ok.

Click the + sign to the left of the following keys:


HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current Version
Uninstall

Then scroll down to "Coupons" and "WeatherBug Companion - powered by MySearch". Right click on the folder beside them and click "delete".

Then scroll back up and click the minus signs beside the keys you opened and when you get back to the begining exit the registry.

If you don't feel comfortable doing this we will try to create a .reg file that will do it tomorrow.



0

Response Number 22
Name: jnjmacaulay
Date: November 15, 2007 at 21:05:11 Pacific
Reply:

YEAH!! They are gone! That worked great. Now is that all we have to do?

Thanks so much!

John and Jennie


0

Response Number 23
Name: jabuck
Date: November 16, 2007 at 03:36:13 Pacific
Reply:

Yes, your logs are clean.

Glad we could help.


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: whataboutadog and backdoor trojan
Backdoor Trojan Nightmare www.computing.net/answers/security/backdoor-trojan-nightmare/5382.html

backdoor trojan virus..help needed www.computing.net/answers/security/backdoor-trojan-virushelp-needed/4851.html

Backdoor.Trojan? Help! www.computing.net/answers/security/backdoortrojan-help-/12940.html