Computer Hope

Software => Computer viruses and spyware => Topic started by: okbreeze on June 09, 2008, 01:37:44 AM

Title: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 01:37:44 AM

 :-[ Downloaded spybot, ran first time. Long list of infections dealt with, but I was asked if I wanted to allow or deny name changes on two items. I read all user stuff  before using, but saw nothing about that. I guessed wrong. My desktop disappeared! I'm not sure if my BitDefender is running. I can't tell which, out of the list of things I deleted, is connected with my desk top. I'm afraid to shut down, but don't like being open like this, all night.

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 01:52:18 AM

Is Spybot open? Click Recovery and restore everything.

Then post a Hijackthis log so we can have a look.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 02:18:26 AM

Spybot is open. Don't have hijack this. Open another page and download it? Major Geeks.com suggests hijack this is for advanced users?

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 02:24:11 AM

Quote from: okbreeze on June 09, 2008, 02:18:26 AM

Major Geeks.com suggests hijack this is for advanced users?

We're here to help ;)

Download and rename  TrendMicro HijackThis.exe (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.

• Close HijackThis and rename it.
  
• Go to C:\Program Files\Trend Micro\HijackThis.exe
  
• Right click on HijackThis.exe and select Rename.
  
• Type in sniper.exe and press Enter.
  
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)

• From the desktop open Hijackthis.
• If using Windows Vista, Right-click and Run As Administrator.
  
• Click on the Do a system scan and save a log file button
  
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.

Title: Re: problem after running first spybot S & D....no desktop
Post by: okbreeze on June 09, 2008, 10:33:53 AM

  ??? :-[ How do I change the name if I can't get into anything on my pc? If I just shut down, then turn on again later, will the desktop restore? I did restore all removed with spybot
Thanks for all the patience here.

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 04:25:23 PM

Use ctrl-shift-esc to bring up task manager, from there you can File -> New Task (run) type in explorer.exe to see if you can get the desktop back.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 06:15:44 PM

Hi, evilfantasy!
It wouldn't come up, before, but I got it again, so going to try it. Thanks!

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 06:18:04 PM

OK. If we can get a HijackThis log we will know where to go from there.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 06:26:09 PM

 ;D Yay! Got desktop back!
spybot just popped up with "System Startup global entry Value deleted" entry: "SpybotSnD", old data: "C:\Program Files\Spybot-Search...."  Before I could finish keying that in, got a pop up saying "user denied". Is that good?
Go ahead and proceed with HijackThis download, or run spybot again, change name, etc, as per previous instructions?

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 06:43:43 PM

Yes I think the Hijackthis instructions would be best.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 09:41:40 PM

I got a window that says "renaming, moving, or deleting 'Hijack This' could make some programs not work. Are sure you want to do this?" Yes?

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 09:54:55 PM

Lets run this instead.

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
Vista users Right click DSS and Run as Administrator.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open.
• main.txt <- this one will be maximized
  
• extra.txt <- this one will be minimized
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 10:28:41 PM

Thank you.
It says only save to disc, with option to save file or cancel.
Ok, on desk. Proceeding

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 10:32:19 PM

When DSS finishes it should pop up two logs. If it instead gives you options save them, choose to save them to the Desktop and then copy/paste them back here.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 11:01:40 PM

Deckard's System Scanner v20071014.68
Run by txboots on 2008-06-09 23:31:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
11: 2008-06-10 04:31:45 UTC - RP397 - Deckard's System Scanner Restore Point
10: 2008-06-09 00:11:49 UTC - RP396 - System Checkpoint
9: 2008-06-07 23:21:12 UTC - RP395 - 6-07-08 first multi cleanout
8: 2008-06-07 20:55:50 UTC - RP394 - System Checkpoint
7: 2008-06-05 20:21:22 UTC - RP393 - System Checkpoint


-- First Restore Point --
1: 2008-05-31 00:59:44 UTC - RP387 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 319 MiB (512 MiB recommended).


-- HijackThis (run as txboots.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:18 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\txboots\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\txboots.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/verify?.done=http%3a//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=191313216167143173
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GSIM - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7792 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,11
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.reg - regfile - shell\open\command - unable to read value
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,10


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 BDSelfPr - c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&264480D3&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&264480D3&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&264480D3&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&264480D3&0
Service: i8042prt


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-09 15:25:17         0 d-------- C:\Program Files\MyWebSearch
2008-06-09 04:06:13         0 d-------- C:\Program Files\Trend Micro
2008-05-31 20:34:19   1753088 --a------ C:\WINDOWS\system32\ExGrid.dll <Not Verified; Exontrol Inc.; ExGrid Module>
2008-05-31 20:34:10    614400 --a------ C:\WINDOWS\system32\ExButton.dll <Not Verified; Exontrol Inc.; ExButton Module>
2008-05-31 20:34:09    602112 --a------ C:\WINDOWS\system32\ExMenu.dll <Not Verified; Exontrol Inc.; ExMenu Control>
2008-05-31 20:34:08    516096 --a------ C:\WINDOWS\system32\ExTab.dll <Not Verified; Exontrol Inc.; ExTab Module>
2008-05-31 20:34:08    307200 --a------ C:\WINDOWS\system32\ExPMenu.dll <Not Verified; Exontrol Inc.; ExPopupMenu Control>
2008-05-31 20:33:58    356352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-31 20:33:57    118784 --a------ C:\WINDOWS\system32\eWebControl.dll <Not Verified; eSellerate Inc.; >
2008-05-31 20:33:57         0 d-------- C:\Program Files\Common Files\eSellerate
2008-05-31 20:33:56    368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-05-31 20:33:49         0 d-------- C:\Program Files\AnswersThatWork
2008-05-31 15:18:22       335 --a------ C:\WINDOWS\mozregistry.dat
2008-05-30 19:54:38         0 dr-h----- C:\Documents and Settings\txboots\Recent
2008-05-29 18:06:51         0 d-------- C:\Program Files\Foxit Software
2008-05-28 18:17:21         0 d-------- C:\Program Files\WhatsRunning
2008-05-23 11:11:46         0 d-------- C:\Documents and Settings\txboots\dwhelper
2008-05-23 10:27:10      1160 --a------ C:\WINDOWS\mozver.dat
2008-05-22 22:08:37         0 d-------- C:\Documents and Settings\txboots\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-05-08 20:04:12         0 d-------- C:\Documents and Settings\txboots\Application Data\W Photo Studio
2008-05-08 20:03:32         0 d-------- C:\Documents and Settings\txboots\Application Data\Walgreens
2008-05-08 20:03:22         0 d-------- C:\Program Files\Common Files\HP
2008-05-08 20:03:10         0 d-------- C:\Program Files\Walgreens
2008-05-08 19:55:06         0 d-------- C:\Documents and Settings\txboots\Application Data\W Photo Studio Viewer
2008-05-07 11:43:40         0 d-------- C:\Documents and Settings\txboots\Application Data\Uniblue
2008-04-22 11:29:30         0 d-------- C:\Documents and Settings\txboots\Application Data\BitDefender
2008-04-22 11:28:02         0 d-------- C:\Program Files\BitDefender
2008-04-22 11:26:16         0 d-------- C:\Program Files\Common Files\BitDefender
2008-04-21 20:26:56         0 d-------- C:\Program Files\Screen-Savers.com
2008-04-21 20:26:56         0 d-------- C:\Program Files\Java
2008-04-21 20:26:56         0 d-------- C:\Program Files\Java Web Start
2008-04-01 11:24:06     29948 --a------ C:\my pictures


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000006B1-19B5-414A-849F-2A3C64AE6939}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [08/23/2001 12:00 PM C:\WINDOWS\SYSTEM32\systray.exe]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [10/09/2007 03:46 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [06/09/2008 10:13 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXSHOW95.EXE]
EXSHOW95.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=c:\windows\scanregw.exe /autorun
"CPQEASYACC"=C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
"EACLEAN"=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"CountrySelection"=pctptt.exe
"CPQInet"=c:\compaq\CPQInet\CpqInet.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Digital Dashboard"=C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
"LoadQM"=loadqm.exe
"QuickTime Task"=C:\WINDOWS\SYSTEM32\qttask.exe
"ausvc"=C:\WINDOWS\ausvc.exe
"SysScan"=C:\WINDOWS\bvt.exe
"ABsr"=C:\WINDOWS\absr.exe
"MovieNetworks"="C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
"WebInstall2"=C:\WINDOWS\TEMP\INS93B4.TMP /R /A
"Hotbar"=C:\PROGRAM FILES\HOTBAR\BIN\4.2.8.0\HBINST.EXE /Upgrade
"DXM6Patch_981116"=C:\WINDOWS\p_981116.exe /Q:A
"LVComs"=C:\WINDOWS\SYSTEM32\LVComS.exe
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
"Mouse Suite 98 Daemon"=PELMICED.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"PTSNOOP"=ptsnoop.exe
"LexStart"=Lexstart.exe
"LexmarkPrinTray"=PrinTray.exe
"CountrySelection"=pctptt.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx   scan


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- Hosts -----------------------------------------------------------------------

216.177.73.139 auto.search.msn.com
216.177.73.139 search.netscape.com
127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com
127.0.0.1   008k.com
127.0.0.1   www.00hq.com
127.0.0.1   00hq.com
127.0.0.1   010402.com

8701 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-09 23:44:39 ------------

exceeded allowable max length, so the extra.txt-Notepad on next reply?

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 09, 2008, 11:02:21 PM

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 318.55 MiB / 124.5 MiB
Pagefile Memory (total/avail): 771.58 MiB / 427.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.85 MiB

C: is Fixed (FAT32) - 11.24 GiB total, 4.82 GiB free.
D: is Fixed (FAT32) - 2.73 GiB total, 1.24 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD150AA-60BAA0 - 13.99 GiB - 2 partitions
  \PARTITION0 (bootable) - Unknown - 11.25 GiB - C:
  \PARTITION1 - Extended w/Extended Int 13 - 2.73 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.

FW: Bitdefender Firewall v8.0 (BitDefender)
AV: Bitdefender Antivirus v8.0 (BitDefender)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Disabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\txboots\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
ESAUDIO=A220 D1 I5  T4
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\txboots
LOGONSERVER=\\COMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\txboots\LOCALS~1\Temp
TMP=C:\DOCUME~1\txboots\LOCALS~1\Temp
USERDOMAIN=COMPUTER
USERNAME=txboots
USERPROFILE=C:\Documents and Settings\txboots
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

txboots (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
BitDefender Total Security 2008 --> MsiExec.exe /I{92098E58-00AD-4F78-AD6E-807BDB323478}
Compaq Digital Dashboard LED --> C:\Program Files\Compaq\Digital Dashboard\uninstall.exe
Compaq Hardware Discovery --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Compaq Hardware Discovery\Uninst.isu"
Compaq IE5 Custom US v2.6 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Compaq IE5 Custom US\Uninst.isu" -c"C:\Compaq\IE5\IE5_Uninstall.DLL"
Compaq IJ300 Electronic Registration --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Compaq\Ereg\Uninst.isu
Compaq OOBE Online --> C:\WINDOWS\uninst.exe -fC:\compaq\oobe\DeIsL1.isu
Compaq WebISP --> C:\WINDOWS\uninst.exe -fC:\Compaq\webisp\DeIsL1.isu
Compaq WebReg v2.6 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Compaq WebReg v2.6\Uninst.isu"
Compaq Wizard Host Online v2.6 --> C:\WINDOWS\uninst.exe -fc:\compaq\lutil\DeIsL1.isu -c"c:\compaq\lutil\ISUninst.dll
Corel Applications --> C:\WINDOWS\Corel\Uninst32.exe
Easy Access Button Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.exe" -uninst
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
GSIM --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\gsim.inf, Uninstall
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HSP56 MicroModem Drivers --> ptuninst.exe
iLumina Bible --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF0F5955-FC76-4F85-A13D-C9A8A9A5E067}\Setup.exe" -l0x9
Java 2 Runtime Environment, SE v1.4.1_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1666FA7C-CB5F-11D6-A78C-00B0D079AF64}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Lake Scenes Screen Saver --> C:\PROGRA~1\SCREEN~1.COM\LAKESC~1\UNINSTAL.EXE /U C:\PROGRA~1\SCREEN~1.COM\LAKESC~1\INSTALL.LOG
Logitech IM Video Companion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{984F10FD-11FD-4BED-8163-92DB81E6A825}\SETUP.EXE" -l0x9 UNINSTALL
Logitech QuickCam --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Logitech\QuickCam\Uninst.isu"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money 2000 Standard Edition --> C:\Program Files\Microsoft Money\setup\setup.exe
Microsoft NetShow Tools 2.0 --> C:\Program Files\Microsoft NetShow\Tools\_INSTTOO.EXE /U
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Mouse Suite --> PMUninst.exe MouseSuite98
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 5.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314B00544}
Search Assistant - My Web Search --> mshta res://C:\PROGRA~1\MYWEBS~1\SrchAstt\1.bin\mwssrcas.dll/101
Service Connection --> c:\cpqs\bwtools\scuninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The Ultimate Troubleshooter --> C:\PROGRA~1\ANSWER~1\TROUBL~1\UNWISE.EXE C:\PROGRA~1\ANSWER~1\TROUBL~1\INSTALL.LOG
W Photo Studio --> MsiExec.exe /X{CBF3C503-946E-45EA-B347-EACC41781989}
Windows Blaster Worm Removal Tool (KB833330) --> C:\WINDOWS\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Search Suggest Add-on for IE7 --> C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type6706 / Error
Event Submitted/Written: 06/09/2008 11:38:56 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type6705 / Error
Event Submitted/Written: 06/09/2008 11:38:55 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type6704 / Error
Event Submitted/Written: 06/09/2008 11:38:40 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type6658 / Error
Event Submitted/Written: 05/31/2008 07:40:19 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 663217111.

Event Record #/Type6657 / Error
Event Submitted/Written: 05/31/2008 07:39:58 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application seccenter.exe, version 11.0.0.62, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type32612 / Warning
Event Submitted/Written: 06/09/2008 09:35:26 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019A62A8F6B.  The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type32606 / Warning
Event Submitted/Written: 06/09/2008 06:33:53 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type32605 / Warning
Event Submitted/Written: 06/09/2008 05:02:23 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019A62A8F6B.  The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type32603 / Error
Event Submitted/Written: 06/09/2008 00:17:30 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Event Record #/Type32590 / Error
Event Submitted/Written: 06/09/2008 04:54:36 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 0019A62A8F6B.



-- End of Deckard's System Scanner: finished at 2008-06-09 23:44:39 ------------

 ;D you are so cool

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 09, 2008, 11:46:37 PM

OK, we have some work to do.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
  
• Go To Left Panel, Click Tools, then also in left panel, click Resident
  
• If your firewall raises a question, say OK
  
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  
• Use File, Exit to terminate Spybot
  
• Reboot your machine for the changes to take effect.

.
----------

Your file associations need fixing.

Click Start > Run> type in (or copy & paste):

"%userprofile%\desktop\dss.exe" /daft

Click OK
 
DSS will start again, click OK in the disclaimer window
Click the Scan button.
Select everything displayed in the results window
Click the Fix button
Rescan with DAFT again (Start > Run > "%userprofile%\desktop\dss.exe" /daft) it should say All associations are OK
Close DSS.

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=s earchbar&LC=0409
• O1 - Hosts: 216.177.73.139 auto.search.msn.com
• O1 - Hosts: 216.177.73.139 search.netscape.com
• O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
• O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
• O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
• O2 - BHO: GSIM - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - (no file)
• O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
• O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinkse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinkse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostse arch&c=2c00&LC=0409 (file missing)
• O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
• O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
• O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelf ish&c=2c00&LC=0409 (file missing)
• O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelf ish&c=2c00&LC=0409 (file missing)
• O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

.
Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

Install the new version Sun Java Runtime Environment (http://majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html)

Remove the old version(s)

• Download JavaRa (http://prm753.bchea.org/JavaRa.zip) and unzip the file to your Desktop.
  
• Open JavaRA.exe and choose Remove Older Versions
  
• Once complete exit JavaRA and delete the program.
• Run CCleaner.

.
----------

Go to add/remove programs and uninstall:

Search Assistant - My Web Search

----------

Download SDFix.exe (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally save the contents of the results file Report.txt to add in your next reply.

If SDFix won't run or you get errors, follow the link for instructions on running SDFix. How to use SDFix (http://www.bleepingcomputer.com/forums/topic131299.html)

----------

Download Combofix by sUBs from one of the below links.

• Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
  
• Link #2 (http://subs.geekstogo.com/ComboFix.exe)
  

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click  this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, see this  Combofix tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) with screenshots that will detail more thoroughly the downloading and running of combofix.

----------

Next post add
SDFix Log
Combofix log

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 10, 2008, 12:25:49 AM

advanced mode gave me notice: "Warning. The advance mode of Spybot-S&D offers more options than the default mode; but those also include some that co harm to your system if you are not sure what you are doing. Do you really want to switch to advanced mode?"
As we're depending upon YOUR brains and not mine, select "yes"?

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 10, 2008, 12:30:56 AM

Yes, we need to turn off Tea Timer.

There are more options in advanced mode. Here is an overview of it. http://antivirus.about.com/od/securitytips/ss/hosts_2.htm

It's a little out dated but the basics of it are still relevant.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 10, 2008, 03:42:18 AM

I tried to run

"%userprofile%\desktop\dss.exe" /daft
results was notice "Windows cannot find "C:\Documents and Settings\txboots\desktop\dss.exe"/daft
Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
Did search for file again and still got the above notice.
I have to go to bed. Will all this be ok til later?
At least desktop reappeared.

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 10, 2008, 09:16:27 AM

Download Deckard's Association File Tool (DAFT) (http://www.techsupportforum.com/sectools/Deckard/daft.exe) and save it to your desktop.

• Rename daft.exe to daft.com and double click on it to run.
  
• Read the disclaimer and click OK.
• Click on the Scan button.
  
• If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
• Click the Fix button.
  

.
----------

Did you run any of the other scans?

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 10, 2008, 08:41:53 PM

 ::) Hi. I'm still having messes. I have gotten thru everything up to trying to go into safe mode. I get the 304 error message, and just stays there. I tried shutting down for a few minutes before trying again, but twice my hard drive started sounding like a small airplane   engine! I'd stop quick tapping F8 and desktop icons loaded and the sound went away. I cannot get into safe mode, so I could go to firefox and open SDFix. I'm afraid to try again, without wise input, because that sound cannot be good.  :-\
Thanks, again, for all your help!!! Don't know how you guys do all this!

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 10, 2008, 08:52:10 PM

Skip to combofix.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 10, 2008, 10:23:22 PM

ComboFix 08-06-10.1 - txboots 2008-06-10 23:05:11.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.112 [GMT -5:00]
Running from: C:\Documents and Settings\txboots\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.htm.bak
C:\Program Files\MyWebSearch\SrchAstt\1.bin\UNINSTAL.INF
C:\Program Files\MyWebSearch\SrchAstt\Cache\00344F71
C:\Program Files\MyWebSearch\SrchAstt\Cache\files.ini
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\Web\default.htt

.
(((((((((((((((((((((((((   Files Created from 2008-05-11 to 2008-06-11  )))))))))))))))))))))))))))))))
.

2008-06-10 19:59 . 2008-06-09 14:25   <DIR>   d--------   C:\SDFix
2008-06-09 23:30 . 2008-06-09 23:30   <DIR>   d--------   C:\Deckard
2008-06-09 04:06 . 2008-06-09 04:06   <DIR>   d--------   C:\Program Files\Trend Micro
2008-06-08 20:58 . 2008-06-08 20:58   <DIR>   d--------   C:\WINDOWS\Profiles\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 20:58 . 2008-06-08 20:58   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-06-07 19:22 . 2008-06-07 19:22   126   --a------   C:\WINDOWS\SYSTEM32\mmc.exe.config
2008-05-31 20:39 . 2008-05-31 20:39   <DIR>   d--------   C:\WINDOWS\Profiles\All Users\Application Data\TEMP
2008-05-31 20:34 . 2007-06-08 13:53   1,753,088   --a------   C:\WINDOWS\SYSTEM32\ExGrid.dll
2008-05-31 20:34 . 2007-04-03 16:51   614,400   --a------   C:\WINDOWS\SYSTEM32\ExButton.dll
2008-05-31 20:34 . 2007-06-05 10:20   602,112   --a------   C:\WINDOWS\SYSTEM32\ExMenu.dll
2008-05-31 20:34 . 2007-06-05 10:19   516,096   --a------   C:\WINDOWS\SYSTEM32\ExTab.dll
2008-05-31 20:34 . 2007-04-03 16:51   307,200   --a------   C:\WINDOWS\SYSTEM32\ExPMenu.dll
2008-05-31 20:33 . 2008-05-31 20:33   <DIR>   d--------   C:\Program Files\Common Files\eSellerate
2008-05-31 20:33 . 2008-05-31 20:33   <DIR>   d--------   C:\Program Files\AnswersThatWork
2008-05-31 20:33 . 1998-04-24 00:00   368,912   --a------   C:\WINDOWS\SYSTEM32\vbar332.dll
2008-05-31 20:33 . 2005-10-11 14:40   356,352   --a------   C:\WINDOWS\SYSTEM32\eSellerateEngine.dll
2008-05-31 20:33 . 2005-10-04 08:11   118,784   --a------   C:\WINDOWS\SYSTEM32\eWebControl.dll
2008-05-31 15:18 . 2008-05-31 15:18   335   --a------   C:\WINDOWS\mozregistry.dat
2008-05-29 18:06 . 2008-05-29 18:06   <DIR>   d--------   C:\Program Files\Foxit Software
2008-05-28 18:17 . 2008-05-28 18:17   <DIR>   d--------   C:\Program Files\WhatsRunning
2008-05-26 17:23 . 2008-05-26 17:23   754   --a------   C:\WINDOWS\WORDPAD.INI
2008-05-23 11:11 . 2008-05-23 11:11   <DIR>   d--------   C:\Documents and Settings\txboots\dwhelper
2008-05-23 10:27 . 2008-05-23 10:27   1,160   --a------   C:\WINDOWS\mozver.dat
2008-05-19 20:23 . 2006-11-29 13:06   3,426,072   --a------   C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2008-05-19 02:14 . 2004-05-14 16:53   462,848   --a------   C:\WINDOWS\SYSTEM32\ltkrn13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   450,560   --a------   C:\WINDOWS\SYSTEM32\ltimg13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   401,408   --a------   C:\WINDOWS\SYSTEM32\lfcmp13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   299,008   --a------   C:\WINDOWS\SYSTEM32\ltdis13n.dll
2008-05-19 02:14 . 2004-01-12 02:09   206,336   --a------   C:\WINDOWS\SYSTEM32\ltefx13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   163,840   --a------   C:\WINDOWS\SYSTEM32\ltfil13n.dll
2008-05-19 02:14 . 2003-11-04 15:11   159,744   --a------   C:\WINDOWS\SYSTEM32\lfpng13n.dll
2008-05-19 02:14 . 2003-11-04 15:10   69,632   --a------   C:\WINDOWS\SYSTEM32\lfgif13n.dll
2008-05-19 02:14 . 2004-05-14 16:53   57,344   --a------   C:\WINDOWS\SYSTEM32\lfbmp13n.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 01:04   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\W Photo Studio
2008-05-09 01:03   ---------   d-----w   C:\WINDOWS\Profiles\All Users\Application Data\Walgreens
2008-05-09 01:03   ---------   d-----w   C:\Program Files\Walgreens
2008-05-09 01:03   ---------   d-----w   C:\Program Files\Common Files\HP
2008-05-09 01:03   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\Walgreens
2008-05-09 00:55   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\W Photo Studio Viewer
2008-05-07 16:43   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\Uniblue
2008-04-22 16:29   ---------   d-----w   C:\Documents and Settings\txboots\Application Data\BitDefender
2008-04-22 16:28   ---------   d-----w   C:\WINDOWS\Profiles\All Users\Application Data\BitDefender
2008-04-22 16:28   ---------   d-----w   C:\Program Files\BitDefender
2008-04-22 16:26   ---------   d-----w   C:\Program Files\Common Files\BitDefender
2008-04-22 01:26   ---------   d-----w   C:\Program Files\Screen-Savers.com
2008-04-22 01:26   ---------   d-----w   C:\Program Files\Java
2008-04-04 06:19   743,621   ----a-w   C:\WINDOWS\SYSTEM32\RPUpdates.zip
2008-03-27 08:12   151,583   ----a-w   C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12   151,583   ------w   C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2008-03-25 01:51   2,400,784   ----a-w   C:\WLinstaller.exe
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47   1,845,248   ------w   C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2003-09-22 20:06   266   --sh--w   C:\Program Files\desktop.ini
2003-09-22 20:06   11,079   ---h--w   C:\Program Files\folder.htt
2001-05-24 17:59   162,304   ----a-w   C:\Program Files\UNWISE.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:36   8454656   --a------   C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 10:13 360448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.uyvy"= lvcod32.dll
"vidc.yuy2"= lvcod32.dll
"vidc.yvu9"= lvcod32.dll
"VIDC.VDOM"= vdowave.drv
"vidc.mxmc"= MimicICM.DLL
"VIDC.TR20"= tr2032.dll
"msacm.voxacm119"= vdk32119.acm
"vidc.vivo"= ivvideo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXSHOW95.EXE]
--a------ 2001-09-07 17:18 45056 C:\WINDOWS\SYSTEM32\exshow95.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p C:\Program Files\WebSavingsfromEbates\System\Code Main lp: C:\Program Files\WebSavingsfromEbates

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=c:\windows\scanregw.exe /autorun
"CPQEASYACC"=C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
"EACLEAN"=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"CountrySelection"=pctptt.exe
"CPQInet"=c:\compaq\CPQInet\CpqInet.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Digital Dashboard"=C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
"LoadQM"=loadqm.exe
"QuickTime Task"=C:\WINDOWS\SYSTEM32\qttask.exe
"ausvc"=C:\WINDOWS\ausvc.exe
"SysScan"=C:\WINDOWS\bvt.exe
"ABsr"=C:\WINDOWS\absr.exe
"MovieNetworks"="C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
"WebInstall2"=C:\WINDOWS\TEMP\INS93B4.TMP /R /A
"Hotbar"=C:\PROGRAM FILES\HOTBAR\BIN\4.2.8.0\HBINST.EXE /Upgrade
"DXM6Patch_981116"=C:\WINDOWS\p_981116.exe /Q:A
"LVComs"=C:\WINDOWS\SYSTEM32\LVComS.exe
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
"Mouse Suite 98 Daemon"=PELMICED.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"PTSNOOP"=ptsnoop.exe
"LexStart"=Lexstart.exe
"LexmarkPrinTray"=PrinTray.exe
"CountrySelection"=pctptt.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2001-09-07 18:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx   REG_MULTI_SZ      scan

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 23:10:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 23:12:45
ComboFix-quarantined-files.txt  2008-06-11 04:12:34

Pre-Run: 5,029,740,544 bytes free
Post-Run: 5,029,666,816 bytes free

206   --- E O F ---   2008-05-28 03:31:57

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 10, 2008, 10:50:50 PM

Download DrWeb CureIt (http://freedrweb.com/) & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow (http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg) Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

.
----------

Now run a new Hijackthis scan and post that log also.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 10, 2008, 11:49:42 PM

Computer shut down during full scan of Dr.Web CureIt, and rebooted. I don't think it was finished, and I didn't get to save report list. Took me a bit to get back up. Rerun?
I did a little digging. I need the Windows recovery console, but I don't have the Windows disc. In reading up on Dr.Web-Cure it, I need that recovery console. Is there a way around this? I read a little about UNC (Universal Naming Convention), as a possible help for this, but it looks a little scary for me to attempt.

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 11, 2008, 11:18:45 AM

Without a Windows CD Recovery Console won't do any good.

Run the F-Secure online scan for Viruses, Spyware and RootKits:

This scanner works with Internet Explorer only

• Go to the  F-Secure Online Virus Scanner (http://support.f-secure.com/enu/home/ols.shtml)
  
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
  
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
  
• Click Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.

Note:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take over an hour so please be patient

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 14, 2008, 04:31:59 AM

F-Secure found no malware:)

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 14, 2008, 12:39:22 PM

Run a new scan with Hijackthis and post the log.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 15, 2008, 06:39:23 PM

To post the Hijackthis log, just copy and paste?
And, what's the difference between "Rookie" and "Beginner"?  ::)

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 15, 2008, 07:41:54 PM

Yes just copy and paste.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 15, 2008, 07:49:30 PM

Hi, evilfantasy! Appreciate your patience. Did I copy the right thing?

Index   % of PCs with item   Code   Data
1   0.0%   O16   {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
2   0.8%   O2   Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
3   0.7%   O2   Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
4   0.3%   O2   Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
5   0.0%   O2   Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
6   0.0%   O2   Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
7   0.0%   O23   BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
8   0.0%   O23   BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (file missing)
9   0.0%   O23   BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
10   0.0%   O3   BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
11   0.0%   O4   [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
12   0.0%   O4   [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
13   3.9%   O9   Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
14   3.9%   O9   Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
15   0.3%   O9   Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
16   0.1%   O9   (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
17   0.1%   O9   Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
18   0.0%   O9   (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
19   0.0%   O9   @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
20   0.0%   O9   (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
21   0.0%   O9   Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
22   0.0%   O9   Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
23   0.0%   O9   &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
24   7.6%   P01   C:\WINDOWS\Explorer.EXE
25   7.4%   P01   C:\WINDOWS\system32\svchost.exe
26   7.4%   P01   C:\WINDOWS\system32\lsass.exe
27   7.4%   P01   C:\WINDOWS\system32\winlogon.exe
28   7.4%   P01   C:\WINDOWS\system32\services.exe
29   7.4%   P01   C:\WINDOWS\System32\smss.exe
30   7.2%   P01   C:\WINDOWS\system32\spoolsv.exe
31   1.1%   P01   C:\Program Files\Mozilla Firefox\firefox.exe
32   0.2%   P01   C:\WINDOWS\system32\WgaTray.exe
33   0.0%   P01   C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
34   0.0%   P01   C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
35   0.0%   P01   C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
36   0.0%   P01   C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
37   0.1%   R0   HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
38   0.0%   R0   HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/verify?.done=http://www.yahoo.com
39   2.8%   R1   HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
40   2.7%   R1   HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
41   2.7%   R1   HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
42   0.2%   R1   HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
43   0.2%   R1   HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

Explanation of the codes

R - Registry, StartPage/SearchPage changes

    * R0 - Changed registry value
    * R1 - Created registry value
    * R2 - Created registry key
    * R3 - Created extra registry value where only one should be

F - IniFiles, autoloading entries

    * F0 - Changed inifile value
    * F1 - Created inifile value
    * F2 - Changed inifile value, mapped to Registry
    * F3 - Created inifile value, mapped to Registry

N - Netscape/Mozilla StartPage/SearchPage changes

    * N1 - Change in prefs.js of Netscape 4.x
    * N2 - Change in prefs.js of Netscape 6
    * N3 - Change in prefs.js of Netscape 7
    * N4 - Change in prefs.js of Mozilla

O - Other, several sections which represent:

    * O1 - Hijack of auto.search.msn.com with Hosts file
    * O2 - Enumeration of existing MSIE BHO's
    * O3 - Enumeration of existing MSIE toolbars
    * O4 - Enumeration of suspicious autoloading Registry entries
    * O5 - Blocking of loading Internet Options in Control Panel
    * O6 - Disabling of 'Internet Options' Main tab with Policies
    * O7 - Disabling of Regedit with Policies
    * O8 - Extra MSIE context menu items
    * O9 - Extra 'Tools' menuitems and buttons
    * O10 - Breaking of Internet access by New.Net or WebHancer
    * O11 - Extra options in MSIE 'Advanced' settings tab
    * O12 - MSIE plugins for file extensions or MIME types
    * O13 - Hijack of default URL prefixes
    * O14 - Changing of IERESET.INF
    * O15 - Trusted Zone Autoadd
    * O16 - Download Program Files item
    * O17 - Domain hijack
    * O18 - Enumeration of existing protocols and filters
    * O19 - User stylesheet hijack
    * O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
    * O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
    * O22 - SharedTaskScheduler autorun Registry key
    * O23 - Enumeration of NT Services
    * O24 - Enumeration of ActiveX Desktop Components

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 15, 2008, 07:53:45 PM

No.

# Open Hijackthis.
# Click on the Do a system scan and save a log file button
# Hijackthis will scan and then a log will open in notepad.
# Copy and then paste the entire contents of the log in your post.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 15, 2008, 08:01:50 PM

Thank you. I see I selected wrong. I just scanned again, and got a note: "CMMGR32.EXE-Entry Point Not Found
The procedure entry point CmFmtMsg could not be located in the dynamic link library cmutil.dll."
Log didn't open up in notepad

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 15, 2008, 08:12:18 PM

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue  progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage. 
In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 15, 2008, 08:14:48 PM

 :( Sorry, evilfantasy, bought second-hand and too late realized didn't get XP CD
Will this do?:

Deckard's System Scanner v20071014.68
Run by txboots on 2008-06-16 00:28:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 319 MiB (512 MiB recommended).


-- HijackThis (run as txboots.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:24 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\txboots\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\txboots.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/verify?.done=http%3a//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 4784 bytes

-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-13 20:47:52         0 d-------- C:\fsaua.data
2008-06-11 00:17:22         0 d-------- C:\Documents and Settings\txboots\DoctorWeb
2008-06-10 23:03:37     68096 --a------ C:\WINDOWS\zip.exe
2008-06-10 23:03:37    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-10 23:03:37     98816 --a------ C:\WINDOWS\sed.exe
2008-06-10 23:03:37     80412 --a------ C:\WINDOWS\grep.exe
2008-06-10 23:03:36     49152 --a------ C:\WINDOWS\VFind.exe
2008-06-10 23:03:36    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-10 23:03:36    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-10 23:03:36     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-09 04:06:13         0 d-------- C:\Program Files\Trend Micro
2008-05-31 20:34:19   1753088 --a------ C:\WINDOWS\system32\ExGrid.dll <Not Verified; Exontrol Inc.; ExGrid Module>
2008-05-31 20:34:10    614400 --a------ C:\WINDOWS\system32\ExButton.dll <Not Verified; Exontrol Inc.; ExButton Module>
2008-05-31 20:34:09    602112 --a------ C:\WINDOWS\system32\ExMenu.dll <Not Verified; Exontrol Inc.; ExMenu Control>
2008-05-31 20:34:08    516096 --a------ C:\WINDOWS\system32\ExTab.dll <Not Verified; Exontrol Inc.; ExTab Module>
2008-05-31 20:34:08    307200 --a------ C:\WINDOWS\system32\ExPMenu.dll <Not Verified; Exontrol Inc.; ExPopupMenu Control>
2008-05-31 20:33:58    356352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-31 20:33:57    118784 --a------ C:\WINDOWS\system32\eWebControl.dll <Not Verified; eSellerate Inc.; >
2008-05-31 20:33:57         0 d-------- C:\Program Files\Common Files\eSellerate
2008-05-31 20:33:56    368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-05-31 20:33:49         0 d-------- C:\Program Files\AnswersThatWork
2008-05-31 15:18:22       335 --a------ C:\WINDOWS\mozregistry.dat
2008-05-30 19:54:38         0 dr-h----- C:\Documents and Settings\txboots\Recent
2008-05-29 18:06:51         0 d-------- C:\Program Files\Foxit Software
2008-05-28 18:17:21         0 d-------- C:\Program Files\WhatsRunning
2008-05-23 11:11:46         0 d-------- C:\Documents and Settings\txboots\dwhelper
2008-05-23 10:27:10      1160 --a------ C:\WINDOWS\mozver.dat
2008-05-22 22:08:37         0 d-------- C:\Documents and Settings\txboots\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-05-08 20:04:12         0 d-------- C:\Documents and Settings\txboots\Application Data\W Photo Studio
2008-05-08 20:03:32         0 d-------- C:\Documents and Settings\txboots\Application Data\Walgreens
2008-05-08 20:03:22         0 d-------- C:\Program Files\Common Files\HP
2008-05-08 20:03:10         0 d-------- C:\Program Files\Walgreens
2008-05-08 19:55:06         0 d-------- C:\Documents and Settings\txboots\Application Data\W Photo Studio Viewer
2008-05-07 11:43:40         0 d-------- C:\Documents and Settings\txboots\Application Data\Uniblue
2008-04-22 11:29:30         0 d-------- C:\Documents and Settings\txboots\Application Data\BitDefender
2008-04-22 11:28:02         0 d-------- C:\Program Files\BitDefender
2008-04-22 11:26:16         0 d-------- C:\Program Files\Common Files\BitDefender
2008-04-21 20:26:56         0 d-------- C:\Program Files\Screen-Savers.com
2008-04-21 20:26:56         0 d-------- C:\Program Files\Java
2008-04-01 11:24:06     29948 --a------ C:\my pictures


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [10/09/2007 03:46 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [06/09/2008 10:13 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXSHOW95.EXE]
EXSHOW95.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=c:\windows\scanregw.exe /autorun
"CPQEASYACC"=C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
"EACLEAN"=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
"Service Connection"=c:\cpqs\bwtools\sccenter.exe
"CountrySelection"=pctptt.exe
"CPQInet"=c:\compaq\CPQInet\CpqInet.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Digital Dashboard"=C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
"LoadQM"=loadqm.exe
"QuickTime Task"=C:\WINDOWS\SYSTEM32\qttask.exe
"ausvc"=C:\WINDOWS\ausvc.exe
"SysScan"=C:\WINDOWS\bvt.exe
"ABsr"=C:\WINDOWS\absr.exe
"MovieNetworks"="C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
"WebInstall2"=C:\WINDOWS\TEMP\INS93B4.TMP /R /A
"Hotbar"=C:\PROGRAM FILES\HOTBAR\BIN\4.2.8.0\HBINST.EXE /Upgrade
"DXM6Patch_981116"=C:\WINDOWS\p_981116.exe /Q:A
"LVComs"=C:\WINDOWS\SYSTEM32\LVComS.exe
"KAZAA"=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
"Mouse Suite 98 Daemon"=PELMICED.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"PTSNOOP"=ptsnoop.exe
"LexStart"=Lexstart.exe
"LexmarkPrinTray"=PrinTray.exe
"CountrySelection"=pctptt.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx   scan


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-06-16 00:36:01 ------------

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 16, 2008, 12:09:41 AM

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Download OTMoveIt2 by OldTimer  OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Download Malwarebytes' Anti-Malware from here (http://www.besttechie.net/tools/mbam-setup.exe) or here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.
  

.
Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

------

Next post add
MBAM log

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 16, 2008, 09:45:27 PM

Appreciate your help and easy instructions.

Malwarebytes' Anti-Malware 1.17
Database version: 846

10:17:03 PM 6/16/2008
mbam-log-6-16-2008 (22-17-03).txt

Scan type: Quick Scan
Objects scanned: 37372
Time elapsed: 21 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearchsearchassistant.auxiliary (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchsearchassistant.auxiliary.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Save (Adware.WhenUSave) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\dynamic toolbar\GSIM\Cache\GSIMTB0200.cfg (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\GSIM\Cache\ErrorLog.txt (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Save\save.db (Adware.WhenUSave) -> Quarantined and deleted successfully.

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 16, 2008, 10:34:36 PM

How is everything now?

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 17, 2008, 05:54:16 AM

  ;D Things are so much better; thank you! Now... ::) which of these things disabled my BitDefender updater and fix button?

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 17, 2008, 10:03:12 AM

Not sure which one did it.

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
----------

Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

If you are running any Microsoft Office version go to the Office Update (http://office.microsoft.com/search/redir.aspx?assetid=ES790020331033&CTT=96&Origin=CL100570421033) site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

Make sure all of your security programs are up to date and run scans with them regularly. Once or twice a week minimum.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
 Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Another thing I would suggest installing SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
*If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Check out  Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to keep you safe in the future.

Also see  Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php)  <--- where you can make difference!

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 17, 2008, 12:49:32 PM

When I key in Cleanmgr, select drive comes up to select C or D drive

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 17, 2008, 12:50:17 PM

C drive.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 17, 2008, 01:05:33 PM

Sorry, I've never cleaned C that way. I can just click on "disc cleaner". It's done. Windows won't update me as I don't pass validation.
I have XP Pro

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 17, 2008, 01:06:22 PM

Is your copy of XP legal?

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 17, 2008, 01:22:13 PM

Took them about 6 years to decide it isn't. I downloaded a tool that is supposed to find the verification number; it isn't accepted
I was just allowed to download the first of 3 downloads of XP Service Pak 3, at www.microsoft.com/downloads, but have to go around my securities to download other two parts.

Title: Re: problem after running first spybot S & D
Post by: evilfantasy on June 17, 2008, 01:47:44 PM

I can't help you with that issue until you can show you have a legitimate copy of XP.

Title: Re: problem after running first spybot S & D
Post by: okbreeze on June 17, 2008, 01:57:15 PM

K. I understand. You've helped me with a lot, and I appreciate it.