There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
adware audio bios blue screen boot bsod computer crash dell desktop driver drivers email error excel firefox freeze google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem recovery router screen server slow sound speakers spyware startup trojan usb video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Malware links to Spyburner - need help! (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 2 1 2
 
Thread Tools
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
04-Mar-2008, 11:22 PM #1
Malware links to Spyburner - need help!
My desktop background has changed to the following message: Warning! Your're in danger! Your computer is infected with spyware!... etc. There is an icon in the system tray of a red, green and yellow shield, and the computer is running really slow. I'm also getting IE popups regularly and everything on the screen seems to be magnified. I am running Windows XP and downloaded all updates.

I ran Symantec Antivirus, Spybot S&D and AdAware, and am still having the same problems.

My HijackThis log is as follows:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:43:57 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Programs\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mailman.calmtg.com/exchweb/b...hange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141846312692
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141846419496
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/pub...ll_a_green.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...ylomplayer.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\Software\..\Telephony: DomainName = calmtg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calmtg.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13488 bytes


Any help would be greatly appreciated. Thanks!
Register for free to hide this ad!
Kenny94's Avatar
Distinguished Member with 2,134 posts.
  
Join Date: Dec 2004
Location: S.C
Experience: Malware Fighter
05-Mar-2008, 06:37 AM #2
Hi jwosf and Welcome to TSG,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

***If you already have VundoFix on your computer, please delete it. We need to be sure you have the latest version.***

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Next

Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Save the log information. And paste this info along with your HijackThis log.

In your next reply, please include these log(s):

* vundofix.txt log
* Superantispyware log
* HijackThis log (new)
__________________
Member of the Alliance of Security Analysis Professionals

Malware And Security Tips
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
05-Mar-2008, 01:14 PM #3
VundoFix results
Thanks so much, Kenny! I downloaded and ran VundoFix, but it did not find any results. Here is the log:

VundoFix V7.0.0

Scan started at 9:53:37 AM 3/5/2008

Listing files found while scanning....

No infected files were found.

I ran HijackThis again and here are the results:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:11:27 AM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Programs\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mailman.calmtg.com/exchweb/b...hange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141846312692
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141846419496
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/pub...ll_a_green.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...ylomplayer.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\Software\..\Telephony: DomainName = calmtg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calmtg.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13522 bytes

I wasn't sure if you wanted me to post this in-between step, so I apologize if this is premature, but I'm off to download SuperANT.

Thanks again, and I'll post again after the next step.
Kenny94's Avatar
Distinguished Member with 2,134 posts.
  
Join Date: Dec 2004
Location: S.C
Experience: Malware Fighter
05-Mar-2008, 04:09 PM #4
With a "icon in the system tray of a red, green and yellow shield" We had to check for Vundo. Maybe Smitfraud? Lets look at the SUPERAntiSpyware Scan Log and see..
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
05-Mar-2008, 04:27 PM #5
OK - Here are the logs from Superantispyware and HijackThis
I ran SuperAntiSpyware and got the following log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/05/2008 at 12:31 PM

Application Version : 4.0.1154

Core Rules Database Version : 3414
Trace Rules Database Version: 1406

Scan type : Complete Scan
Total Scan Time : 02:07:43

Memory items scanned : 470
Memory threats detected : 0
Registry items scanned : 5417
Registry threats detected : 31
File items scanned : 120784
File threats detected : 480

Neopets Toolbar
HKLM\Software\Classes\CLSID\{CD292324-974F-4224-D074-CACA427AA030}
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}\InprocServer32
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}\InprocServer32#ThreadingModel
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}\ProgID
C:\PROGRA~1\NEOPETS\TOOLBAR\TOOLBAR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD292324-974F-4224-D074-CACA427AA030}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CD292324-974F-4224-D074-CACA427AA030}
HKCR\Toolbar.Neopets
HKCR\Toolbar.Neopets\Clsid
HKU\S-1-5-21-1606980848-1993962763-1202660629-1665\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{CD292324-974F-4224-D074-CACA427AA030}

Adware.Tracking Cookie
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@imrworldwide[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@a.findarticles[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@seniorfriendfinder[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sales.liveperson[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sitestat.mayoclinic[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adultswim[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@revsci[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adopt.specificclick[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@atwola[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sales.liveperson[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.findlegalforms[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@tracking.homeportfolio[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.findlegalforms[3].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.adultswim[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@pathfinder[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@uclick[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www5.addfreestats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@iipd.furniturefind[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@findarticles[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@anad.tacoda[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@realmedia[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.burstbeacon[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@burstnet[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@nextag[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@focalex[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@pornotube[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.as4x.tmcs[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@tacoda[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www8.addfreestats[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.uclick[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@server.cpmstar[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.cnn[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@tribalfusion[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sales.liveperson[3].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@webstat.pge[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@overture[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adv.webmd[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@CA61WKE3.txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@toplist[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sdc.pointclickhome[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.googleadservices[4].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.revsci[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ad.zanox[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.clickmanage[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@easytrack[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@richmedia.yahoo[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@eyewonder[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.newgrounds[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@saletrack.co[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@findlegalforms[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.pointroll[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@t3.trackalyzer[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@click.fantasypromotion[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ad2.adnetinteractive[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads4.blastro[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@furniturefind[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@xiti[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@find.mapmuse[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads3.blastro[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adopt.euroclick[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@rotator.dex.adjuggler[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.associatedcontent[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@prospect.adbureau[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@superstats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.us.e-planning[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.furniturefind[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www6.addfreestats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@designer-entrepreneurs[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@anat.tacoda[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.gametap[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@banners3.blogads[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@youporn[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.theabovenetwork[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@monstersandcritics.advertserve[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@partner2profit[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.xxxtube[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sales.liveperson[5].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.traffiq[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.heias[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.techguy[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@collective-media[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www2.addfreestats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@itxt.vibrantmedia[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@tracking.foxnews[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adecn[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@qnsr[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.3dstats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@azjmp[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.apartmenttherapy[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@CAMWUOEL.txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@CAZU1Z5L.txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www2.integratedmediaconcepts[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@couponmountain[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@stats2.reliablestats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@pointclickhome[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@eas.apm.emediate[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@vcdiscounter[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sales.liveperson[6].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@parkhurst.advertserve[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.joinaxxess[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ad.pitta.ne[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.boardgamegeek[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.googleadservices[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@kanoodle[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@a.websponsors[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@server2.mediatakeout[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.googleadservices[3].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@2.adbrite[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adprofile[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@banners.pictures.sprintpcs[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@media.mtvnservices[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@findlaw[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@247realmedia[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.jolinko[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.adbrite[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.everythingtrackandfield[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ar.atwola[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@yadro[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@int.sitestat[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@leads.specificmedia[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@gostats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@xxxtube[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@CAYH8YQI.txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ad.flux[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@allporntube[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.couponmountain[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adarbo2.bbmedia[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@injury.findlaw[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@caselaw.lp.findlaw[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@stats.fgn-guild[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@roi.clicklab[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@e2itg.pbteen[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@CA6958S4.txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@divavillage.advertserve[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.bleepingcomputer[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@track.bestbuy[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@pbteen[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@clicksor[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@123stat[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www3.addfreestats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@hypertracker[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@precisionclick[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@adultadworld[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@clean.systemerrorfixer[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@tracking.feedperfect[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@sexier[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@secure.systemerrorfixer[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@CA4L8BLV.txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@jewishfriendfinder[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.allporntube[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.xxxtube[3].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@systemerrorfixer[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@pornhub[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@int.sitestat[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.sys-cleaner[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www7.addfreestats[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.b-click[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@www.googleadservices[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@porntube[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@clean.systemerrorfixer[3].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.treehugger[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@enhance[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@media6degrees[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@pt.crossmediaservices[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.monster[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@ads.soft32[2].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@interclick[1].txt
C:\Documents and Settings\jwolfe.CALMTG\Cookies\jwolfe@m1.webstats.motigo[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@2o7[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@a.websponsors[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ad.admarketplace[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ad.gmarket.co[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ad.itbe[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ad.yieldmanager[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@adecn[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@adknowledge[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@adopt.hbmediapro[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@adopt.specificclick[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.addesktop[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.as4x.tmcs[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.belointeractive[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.cc214142[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.goantiques[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.monster[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.realcastmedia[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.realtechnetwork[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.us.e-planning[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads.vnuemedia[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ads1.rodale[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@adv.webmd[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@aff.primaryads[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@aj.petfinder[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ath.belnk[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@atwola[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@auditor.whosclickingwho[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@azjmp[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@banners.nbcupromotes[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@banner[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@belnk[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@bigbanners[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@burstnet[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@clicksor[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ClickWatch[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@counter.plugin[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@counter.surfcounters[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@crackerbarrel[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@creativeby.viewpoint[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@dealtime.co[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@dist.belnk[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@edge.ru4[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@falkag[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@gostats[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@hits.clickandtrack[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@homeclick[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@hurricanedigitalmedia[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@indextools[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@interclick[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@kanoodle[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@login.tracking101[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@LotFinder[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@metareward[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@nextag[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@offeroptimizer[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@optimost[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@partner2profit[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@pathfinder[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@pbteen[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@petfinder[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@pt.crossmediaservices[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@qnsr[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@questionmarket[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@sales.liveperson[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@saletrack.co[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@server.cpmstar[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@serving-sys[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@sourcetool[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@stats.adbrite[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@stats.clicktracks[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@stats.manticoretechnology[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@stats01.pointshop[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@superstats[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@teenfashion.about[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@track.websitetrafficreport[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@tracking.sms[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@tracking[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@ww2.pbteen[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.0stats[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.adserv[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.burstbeacon[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.clickmanage[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.findarticles[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.findgift[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.macromedia[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.search4clicks[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.theliteracysite[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.ticketsnow1[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www.ticketsnow[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@www100.homeclick[2].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@xiti[1].txt
C:\Documents and Settings\jwolfe\Cookies\richard 3@yieldmanager[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@2o7[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@a.websponsors[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ad.admarketplace[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ad.gmarket.co[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ad.itbe[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ad.yieldmanager[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@adecn[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@adknowledge[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@adopt.hbmediapro[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@adopt.specificclick[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.addesktop[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.belointeractive[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.cc214142[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.goantiques[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.monster[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.realcastmedia[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.realtechnetwork[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.us.e-planning[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads.vnuemedia[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ads1.rodale[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@adv.webmd[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@aff.primaryads[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@aj.petfinder[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ath.belnk[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@atwola[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@auditor.whosclickingwho[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@azjmp[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@banners.nbcupromotes[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@banner[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@belnk[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@bigbanners[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@burstnet[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@clicksor[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ClickWatch[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@counter.plugin[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@counter.surfcounters[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@crackerbarrel[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@creativeby.viewpoint[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@dealtime.co[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@dist.belnk[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@edge.ru4[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@falkag[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@gostats[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@hits.clickandtrack[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@homeclick[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@hurricanedigitalmedia[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@indextools[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@interclick[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@kanoodle[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@login.tracking101[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@LotFinder[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@metareward[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@nextag[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@offeroptimizer[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@optimost[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@partner2profit[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@pathfinder[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@pbteen[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@petfinder[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@pt.crossmediaservices[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@qnsr[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@questionmarket[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@sales.liveperson[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@saletrack.co[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@server.cpmstar[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@serving-sys[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@sourcetool[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@stats.adbrite[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@stats.clicktracks[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@stats.manticoretechnology[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@stats01.pointshop[

I have to post the rest of this separately because my character count is too high...
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
05-Mar-2008, 04:28 PM #6
Part Two...
1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@superstats[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@teenfashion.about[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@track.websitetrafficreport[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@tracking.sms[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@tracking[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@ww2.pbteen[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.0stats[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.adserv[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.burstbeacon[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.clickmanage[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.findarticles[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.findgift[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.macromedia[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.search4clicks[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.theliteracysite[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.ticketsnow1[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www.ticketsnow[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@www100.homeclick[2].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@xiti[1].txt
C:\Documents and Settings\Richard 3\Cookies\richard 3@yieldmanager[1].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@adknowledge[1].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@adopt.specificclick[2].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@atwola[1].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@burstnet[2].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@data1.perf.overture[1].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@data3.perf.overture[1].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@edge.ru4[2].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@media3.sitebrand[2].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@www.burstbeacon[2].txt
C:\Documents and Settings\Richard 3\Local Settings\Temp\Cookies\richard 3@yieldmanager[2].txt

Adware.Zango Toolbar/Hb
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoOI\dynamic
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoOI\static
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoOI
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoOL\dynamic
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoOL\static
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoOL
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\385434.sdf
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\18721
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\23923
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\34115
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\45837
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\6552
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\72748
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\ustat
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\btntrans1.dat
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\buttondir.txt
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\components.cdf
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\default.cdf
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_511745-514279.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_categorize.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_comparison.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_explorer-people.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_favorites.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Games.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Hide.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Hotmail.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_hsskin.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemster.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemsterie.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jobsearch.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Mails.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_new.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_premium.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_reun.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_ringtones.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_searchfor.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_searchgo.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_weather.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_yellowpages.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_other.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-t1-bg.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\icons2.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\keywords1.dat
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\layout.cdf
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\linkpathlegal.txt
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\progress.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\sales_buttons.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\s_icons_buttons.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\t2_bg.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\theweb.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\top7.cdf
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Top7_theweb.mnu
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\tsd_bg.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\zango.res
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\buttondir.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\default.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_1000.xi p
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_2000.xi p
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_3000.xi p
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_bbar1.x ip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_logos.x ip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_other.x ip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\icons2.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\keywords.idx
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\keywords.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\keywords1.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\layout.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\progress.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\samplegroups2.txt
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\samplegroups2.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\t2_bg.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\top7.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\zango.xip
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0\ZangoToolbar
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\v3.0
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar\zbar.log
C:\Documents and Settings\jwolfe.CALMTG\Application Data\ZangoToolbar

Malware.SpyDawn
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\cjcxnrlhkpFd
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\Control
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\gapBhkPypnf
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\IcgbK
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32#ThreadingModel
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\Insertable
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\MiscStatus
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\MiscStatus\1
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\ProgID
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\Programmable
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\rhQeO
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\tikYrwmm
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\ToolboxBitmap32
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\TypeLib
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\urVvUrIsbyn
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\Version
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\VersionIndependentProgID
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\wzLuhkKjsC

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\JWOLFE.CALMTG\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP532\A0083725.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP532\A0083726.ICO

Trojan Downloader-SystemAlert.Process
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP532\A0083727.DLL

I'll post the HijackThis log separately as well...
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
05-Mar-2008, 04:29 PM #7
Latest HijackThis Log...
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:09:17 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Programs\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mailman.calmtg.com/exchweb/b...hange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141846312692
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141846419496
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/pub...ll_a_green.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...ylomplayer.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\Software\..\Telephony: DomainName = calmtg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calmtg.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13707 bytes


Thanks again, and I'll wait for the next instructions!
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
05-Mar-2008, 08:32 PM #8
I just got the blue screen which stated it was beginning a physical memory dump. It had this info:

STOP: 0x0000008E (0xC0000005, 0x8056EBA4, 0xF7DD399C, 0x000000C0)

The computer then restarted and I suspect this has been happening quite often since I started having these problems because I kept noticing all my programs had closed after coming back to the computer. I guess it had been rebooting without me realizing it.
Kenny94's Avatar
Distinguished Member with 2,134 posts.
  
Join Date: Dec 2004
Location: S.C
Experience: Malware Fighter
06-Mar-2008, 07:15 AM #9
You have a lot of bad entries in you HJT log. That will cause a physical memory dump. Let see.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Member of the Alliance of Security Analysis Professionals

Malware And Security Tips
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
06-Mar-2008, 01:45 PM #10
Looks like progress!
I ran ComboFix and the little shield in the system tray is gone. Unfortunately there was an IE popup that opened when ComboFix was creating the log. It said not to open any programs while it was doing that, so hopefully the popup wouldn't interfere with that somehow.

Anyway, here's the log:

ComboFix 08-03-05.3 - jwolfe 2008-03-06 10:24:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.186 [GMT -8:00]Running from: C:\Documents and Settings\jwolfe.CALMTG\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\fdvch.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-06 10:08 . 2008-03-06 10:10 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-03-05 21:59 . 2008-03-05 21:59 1,440,054 --a------ C:\WINDOWS\mywallpaper.bmp
2008-03-05 10:18 . 2008-03-05 10:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-05 10:18 . 2008-03-05 10:18 <DIR> d-------- C:\Documents and Settings\jwolfe.CALMTG\Application Data\SUPERAntiSpyware.com
2008-03-05 10:18 . 2008-03-05 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-05 10:17 . 2008-03-05 10:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-05 10:16 . 2008-03-05 10:17 6,342,680 --a------ C:\Program Files\SUPERAntiSpyware.exe
2008-03-05 09:53 . 2008-03-05 09:53 <DIR> d-------- C:\VundoFix Backups
2008-03-05 09:52 . 2008-03-05 09:53 137,728 --a------ C:\Program Files\VundoFix.exe
2008-03-04 00:52 . 2008-03-04 00:51 691,545 --a------ C:\WINDOWS\unins001.exe
2008-03-04 00:52 . 2008-03-04 00:52 2,548 --a------ C:\WINDOWS\unins001.dat
2008-03-03 23:57 . 2008-03-03 23:57 35,840 --a------ C:\WINDOWS\sysockeu.exe
2008-03-03 23:57 . 2008-03-03 23:57 32,256 --a------ C:\WINDOWS\sysodkcs.exe
2008-03-03 23:57 . 2008-03-03 23:57 28,672 --a------ C:\WINDOWS\sysokuaw.exe
2008-03-03 23:57 . 2008-03-03 23:57 25,088 --a------ C:\WINDOWS\sysoghcx.exe
2008-03-03 23:57 . 2008-03-03 23:57 20,992 --a------ C:\WINDOWS\sysounrk.exe
2008-03-03 23:57 . 2008-03-03 23:58 3,072 --a------ C:\WINDOWS\ftebh.exe
2008-03-03 23:57 . 2008-03-03 23:58 1,855 --a------ C:\WINDOWS\config.ini
2008-03-03 23:57 . 2008-03-03 23:58 1,409 --a------ C:\WINDOWS\fbdzj.exe
2008-03-03 23:57 . 2008-03-03 23:58 1,272 --a------ C:\WINDOWS\fzmxg.dll
2008-02-15 17:32 . 2008-02-15 17:33 <DIR> d-------- C:\Program Files\Neopets
2008-02-15 17:32 . 2008-02-15 17:32 <DIR> d-------- C:\Documents and Settings\jwolfe.CALMTG\Application Data\Neopets Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 18:05 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-05 03:29 --------- d-----w C:\Program Files\SwiftView
2008-03-04 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 08:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 18:28 --------- d-----w C:\Documents and Settings\jwolfe.CALMTG\Application Data\OpenOffice.org2
2008-02-04 06:07 --------- d-----w C:\Documents and Settings\jwolfe.CALMTG\Application Data\Move Networks
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-07-02 02:28 110 ----a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-02-08 04:00 33,319,168 ----a-w C:\Program Files\GoogleSketchUpWEN.exe
2006-12-24 22:29 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-12-15 08:14 49,541,055 -c--a-w C:\Program Files\openofficeorg3.cab
2005-12-15 08:14 2,339,756 -c--a-w C:\Program Files\openofficeorg4.cab
2005-12-15 08:10 6,129,372 -c--a-w C:\Program Files\openofficeorg2.cab
2005-12-15 08:10 17,710,073 -c--a-w C:\Program Files\openofficeorg1.cab
2005-12-15 08:09 217 -c--a-w C:\Program Files\setup.ini
2005-09-12 18:21 266,843 -c--a-w C:\Program Files\nistime-32bit.exe
2002-03-11 08:06 1,822,520 -c--a-w C:\Program Files\instmsiw.exe
2002-03-11 07:45 1,708,856 -c--a-w C:\Program Files\instmsia.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 20:30 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OSCD_Creator"="c:\Dell\PreODM.EXE" [2004-10-31 03:21 408576]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 17:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 07:35 536576]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2004-03-04 09:36 211828]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 05:03 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18 124128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"IPInSightLAN 01"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [ ]
"IPInSightMonitor 01"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [ ]
"eFax 4.1"="C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [2005-12-16 15:59 107008]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-12 21:14 185784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"1029BB4B-16A9-4E77-AA3D-96930BD68EEC"="C:\WINDOWS\sysockeu.exe" [2008-03-03 23:57 35840]
"852EBF20-A95D-4F1F-B9C2-B2CD24350F3E"="C:\WINDOWS\sysodkcs.exe" [2008-03-03 23:57 32256]
"756349DC-6D9E-4F2A-9B24-269661F073C3"="C:\WINDOWS\sysoghcx.exe" [2008-03-03 23:57 25088]
"2177F056-0AA6-4D6C-A944-13F71F341C29"="C:\WINDOWS\sysokuaw.exe" [2008-03-03 23:57 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"disablecad"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-10-07 17:44 610304 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 05:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2004-04-11 09:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
--a------ 2005-12-16 15:59 107008 C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 13:03 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-07-12 21:14 214448 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-07-12 21:14 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-01-05 09:25]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 10:04]
S4 Pemssgsaprti;Pemssgsaprti;C:\WINDOWS\system32\drivers\HPN.SYS [2004-08-04 04:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 03:23:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 02:30:05 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DH2CZR61-Richard 3).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 10:30:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-06 10:32:06
ComboFix-quarantined-files.txt 2008-03-06 18:31:38
.
2008-02-28 11:06:49 --- E O F ---

Here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:36, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programs\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mailman.calmtg.com/exchweb/b...hange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141846312692
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141846419496
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/pub...ll_a_green.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...ylomplayer.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\Software\..\Telephony: DomainName = calmtg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calmtg.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13215 bytes

Unfortunately I'm still getting popups and that windows warning that say that it has found the trojan spm/lx. But the resolution on the screen is back to normal, and the shield is gone.

Thanks again, Kenny. I'll wait for your next post.
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
06-Mar-2008, 06:36 PM #11
Shield icon back in sytem tray
The computer just rebooted on its own again and the shield icon is back, along with the lower screen resolution. I'm not sure if this is important, but thought I'd post anyway...
Kenny94's Avatar
Distinguished Member with 2,134 posts.
  
Join Date: Dec 2004
Location: S.C
Experience: Malware Fighter
07-Mar-2008, 04:33 PM #12
Hi jwosf

Quote:
The computer just rebooted on its own again and the shield icon is back, along with the lower screen resolution. I'm not sure if this is important, but thought I'd post anyway...
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background

Next

Open Notepad and copy and paste the text in the code box below into it:


Code:
File::
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\WINDOWS\ftebh.exe
C:\WINDOWS\fbdzj.exe
C:\WINDOWS\fzmxg.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

In your next reply, please include these log(s):

* SmitfraudFix
* Combofix.txt
* HijackThis log (new)
__________________
Member of the Alliance of Security Analysis Professionals

Malware And Security Tips
Last edited by Kenny94 : 07-Mar-2008 04:40 PM.
Kenny94's Avatar
Distinguished Member with 2,134 posts.
  
Join Date: Dec 2004
Location: S.C
Experience: Malware Fighter
07-Mar-2008, 04:41 PM #13
Note:
I added some more files to CFScript.txt
jwosf's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Mar 2008
Experience: Beginner
07-Mar-2008, 08:30 PM #14
I did all the steps, but ran into trouble when I ran ComboFix after dragging your code into the program icon. It did start a new scan and appeared to get all the way through it but it stalled out when the window said it was creating a log file. I restarted the computer and tried to run ComboFix again but it stalled again. So I just ran HijackThis and here are the results:

SmitFraud log:

SmitFraudFix v2.300

Scan done at 16:22:13.87, 2008-03-07
Run from C:\Documents and Settings\jwolfe.CALMTG\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jwolfe.CALMTG


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jwolfe.CALMTG\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JWOLFE~1.CAL\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless WLAN 1350 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 68.87.76.178
DNS Server Search Order: 68.87.78.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6EEA68B9-50E8-4276-AF2B-48C1DEFD7E2A}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6EEA68B9-50E8-4276-AF2B-48C1DEFD7E2A}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6EEA68B9-50E8-4276-AF2B-48C1DEFD7E2A}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:25, on 2008-03-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Programs\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mailman.calmtg.com/exchweb/b...hange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141846312692
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141846419496
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/pub...ll_a_green.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/fr...ylomplayer.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\Software\..\Telephony: DomainName = calmtg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calmtg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calmtg.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Access Utility Service - SprintNextel - C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13244 bytes

Thanks again for your continued help! Let me know what's next...
Kenny94's Avatar
Distinguished Member with 2,134 posts.
  
Join Date: Dec 2004
Location: S.C
Experience: Malware Fighter
07-Mar-2008, 09:03 PM #15
Quote:
I ran ComboFix after dragging your code into the program icon. It did start a new scan and appeared to get all the way through it but it stalled out when the window said it was creating a log file. I restarted the computer and tried to run ComboFix again but it stalled again.
Lets try something different. We'll use Killbox to remove these bad files.. I see SmitFraud log can back clean.


Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".


Next

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\sysockeu.exe
    C:\WINDOWS\sysodkcs.exe
    C:\WINDOWS\sysoghcx.exe
    C:\WINDOWS\sysokuaw.exe
    C:\WINDOWS\ftebh.exe
    C:\WINDOWS\fbdzj.exe
    C:\WINDOWS\fzmxg.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


With that done, please post back with a fresh HiJackThis log. Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
__________________
Member of the Alliance of Security Analysis Professionals

Malware And Security Tips
Closed Thread Bookmark and Share
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 03:35 AM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.