Being redirected when I click search results

I have tried Spybot and adaware to get rid of this pain in the butt spyware, or virus (not sure what the heck it is)..neither one work...I click on the results that my search engine brings up and it takes me to either a **** site, I.COM, or other unwanted sites. What next?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:33 PM, on 1/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\DENNIL~1\DESKTOP\SUPERG~2.EXE
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...Y4BUL+bELYDaF2ASqjxe3npuaeAQgWHqMcWcJlnqmWP0=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {39D93272-EF47-0C97-D753-6D550585703D} - C:\WINDOWS\System32\fkrbtmin.dll (file missing)
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "
O4 - HKCU\..\Run: [supergrannyam.exe] C:\DOCUME~1\DENNIL~1\DESKTOP\SUPERG~2.EXE /r
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe "
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Snapfish Picture Mover.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishPictureMover.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06972700cbe1de42ce17/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} - http://pak02.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.9.0.1.4.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} -
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aol123.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F413BCEF-3FA5-4232-B5D6-92E625A5E3A8}: NameServer = 85.255.113.109,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA57200C-FFB2-472D-819A-FC6A12A8590B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.138
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8529 bytes

 

Hi fortunateden
Welcome to Windowsbbs.

Your system is infected pretty badly.

You have at least one dialer, I would check your phone bill for fraudulent charges.

Please make sure you answer any questions asked during this cleaning process, run the tools in the order given. and read any comments before fixing any HJT entries.


It may be helpful to print or save these instructions to a text file. You can use it as a checklist to make sure all tasks are completed, in the order given, and all logs are available for posting. Since you have been asked to run multiple tasks and post several logs, please re-read all instructions prior to posting back, to make sure all requested actions have been completed and all requested logs are available. This will help save us both time. Thanks!


Did you knowingly install Crawler Search tool bar and supergrannyam?


Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post the log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).


If you did not knowingly install Crawler search then delete the ones in blue below also.


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Crawler Search <<Anything to do with Crawler
supergrannyam <<If you did not install this yourself.

Please note any other programs that you dont recognize in that list and post them in your next response

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {39D93272-EF47-0C97-D753-6D550585703D} - C:\WINDOWS\System32\fkrbtmin.dll (file missing)
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKCU\..\Run: [supergrannyam.exe] C:\DOCUME~1\DENNIL~1\DESKTOP\SUPERG~2.EXE /r
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06972700...p/RdxIE601.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} -
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F413BCEF-3FA5-4232-B5D6-92E625A5E3A8}: NameServer = 85.255.113.109,85.255.112.138

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA57200C-FFB2-472D-819A-FC6A12A8590B}: NameServer = 208.67.220.220,208.67.222.222 <<Do you know who Freedom Networks are? Based in San Francisco. It's a OpenDNS server. If not fix with HJT.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.138
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these folders (if present):

C:\PROGRAM FILES\Crawler

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\System32\ntsystem.exe
c:\info6_s.cab
c:\explorer.cab
c:\counter.cab


After that, Reboot.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the
Combofix log
The FixWareOut log
The dss log
and a new HJT log.

Thanks
Geri

 

Hi Geri!
Thanks so much for your help..here we go!
I am not clear on why I would have a dialer. Not really even sure what a dialer is, but I assumed it meant for a dial up connection..but I have DSL.
As for the supergrannyam..pretty sure long ago I downloaded a trial version of the game and then tried to remove it numerous times to no avail. Also, as I was going through and deleting entries on HJT, the entries were not present, but sure enough, after all the processes I just went through and rebooted, etc., and the icon is now back on my desktop Also, no entries for Crawler Search..btw, I didnt knowingly install that, but also after processes and reboot back on desktop.
A for those stinkers at Freedom Networks...I think this is my major problem..in my novice opinion that is..after I click on the results for a seach, these types of numbers come up in my progress bar at the bottom of screen...208.67.220.etc. Dont know what a namer server is, but I am guessing it is baaad news...


Combofix log:ComboFix 08-01-04.1 - Dennille Christensen 2008-01-04 18:26:29.1 - NTFSx86
Running from: C:\Documents and Settings\Dennille Christensen\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\111.exe
C:\Redemption.ECF
C:\WINDOWS\system32\kdfsw.exe
C:\WINDOWS\system32\ntsystem.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 18:24 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 20:10 . 2008-01-02 20:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-01 19:53 . 2008-01-01 20:54 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-01 19:53 . 2008-01-01 20:49 <DIR> d-------- C:\Documents and Settings\Dennille Christensen\Application Data\Spyware Terminator
2008-01-01 19:53 . 2008-01-01 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-12-30 17:03 . 2007-12-30 17:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-30 17:03 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-12-30 17:03 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-30 15:00 . 2007-12-30 15:17 <DIR> d-------- C:\Program Files\Nsauditor
2007-12-30 13:01 . 2007-12-30 13:01 <DIR> d-------- C:\Program Files\Nick Jr. Arcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 19:11 --------- d-----w C:\Program Files\Google
2007-12-30 19:01 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-30 18:01 --------- d-----w C:\Program Files\Yahoo!
2007-05-20 16:59 529 -c-ha-w C:\Documents and Settings\Dennille Christensen\hpothb07.dat
2005-02-16 02:34 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-02-16 02:34 0 -c-ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-02-16 02:31 169 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-02-16 02:29 0 -c-ha-w C:\Documents and Settings\Dennille Christensen\Application Data\hpothb07.dat
2005-02-16 02:29 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2004-09-27 14:33 380,928 -csh--r C:\WINDOWS\system32\??plorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D93272-EF47-0C97-D753-6D550585703D}]
C:\WINDOWS\System32\fkrbtmin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 00:04 1415824]
"supergrannyam.exe "= "C:\DOCUME~1\DENNIL~1\DESKTOP\SUPERG~2.exe" [2005-12-26 20:58 212992]
"MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"Microsoft Internet Acceleration Utility "= "iau.exe" []
"Internet Connection Wizard "= "stisvsq.exe" []
"Games Acceleration "= "svshost.exe" []
"Internet Mail and News "= "msqdevl.exe" []
"Microsoft Management Console "= "lssas.exe" []
"Multimedia extensions "= "mservice.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan "= "SOUNDMAN.EXE" [2003-06-10 04:12 55296 C:\WINDOWS\soundman.exe]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-05-06 12:49 180269]
"Microsoft Internet Acceleration Utility "= "iau.exe" []
"Internet Connection Wizard "= "stisvsq.exe" []
"Games Acceleration "= "svshost.exe" []
"Internet Mail and News "= "msqdevl.exe" []
"Microsoft Management Console "= "lssas.exe" []
"Multimedia extensions "= "mservice.exe" []
"KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" [ ]
"SSC_UserPrompt "= "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-07-13 14:00 28739 --a--c--- c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE REBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pzd]
2004-09-27 08:33 380928 -r-hsc--- C:\WINDOWS\System32\??plorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwin32]
C:\WINDOWS\runwin32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-06-03 21:05 32881 --a------ C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVCHOST]
C:\WINDOWS\svchost.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usrr]
C:\Documents and Settings\Dennille Christensen\Application Data\rncr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winhost]
C:\WINDOWS\win.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wininet32]
C:\WINDOWS\wininet32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\Program Files\Common Files\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\You've Got Pictures Screensaver]
C:\Program Files\You've Got Pictures Screensaver\ygpsstra.exe


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 18:34:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 18:38:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 00:38:16
.
2007-12-13 09:05:34 --- E O F ---




FixWareOut log:
Username "Dennille Christensen" - 01/04/2008 18:46:07 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F413BCEF-3FA5-4232-B5D6-92E625A5E3A8}
"nameserver "= "85.255.113.109,85.255.112.138" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system "=" "
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"SoundMan "= "SOUNDMAN.EXE "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"Microsoft Internet Acceleration Utility "= "iau.exe "
"SSC_UserPrompt "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\" "
"KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"SpybotSD TeaTimer "= "C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe "
"supergrannyam.exe "= "C:\\DOCUME~1\\DENNIL~1\\DESKTOP\\SUPERG~2.EXE /r "
"MySpaceIM "= "\ "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe\" "
"Microsoft Internet Acceleration Utility "= "iau.exe "
"Internet Connection Wizard "= "stisvsq.exe "
"Games Acceleration "= "svshost.exe "
"Internet Mail and News "= "msqdevl.exe "
"Microsoft Management Console "= "lssas.exe "
"Multimedia extensions "= "mservice.exe "
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

the dss log:
Deckard's System Scanner v20071014.68
Run by Dennille Christensen on 2008-01-04 19:35:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Dennille Christensen.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:54 PM, on 1/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dennille Christensen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DENNIL~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {39D93272-EF47-0C97-D753-6D550585703D} - (no file)
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe "
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Snapfish Picture Mover.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishPictureMover.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {11111111-1111-1111-1111-111111113456} -
O16 - DPF: {11111111-1111-1111-1111-111111113457} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} - http://pak02.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.9.0.1.4.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} -
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aol123.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6941 bytes

-- Files created between 2007-12-04 and 2008-01-04 -----------------------------

2008-01-02 20:10:56 0 d-------- C:\Program Files\Trend Micro
2008-01-01 19:53:14 0 d-------- C:\Documents and Settings\Dennille Christensen\Application Data\Spyware Terminator
2008-01-01 19:53:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-01 19:53:05 0 d-------- C:\Program Files\Spyware Terminator
2007-12-30 17:03:51 118784 --a------ C:\WINDOWS\System32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-12-30 17:03:50 0 d-------- C:\Program Files\SpywareBlaster
2007-12-30 15:00:58 0 d-------- C:\Program Files\Nsauditor
2007-12-30 13:01:48 0 d-------- C:\Program Files\Nick Jr. Arcade
2007-12-24 02:39:26 4194304 --a------ C:\Documents and Settings\Dennille Christensen\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-04 19:19:47 0 d-------- C:\Program Files\MSN Encarta Plus
2008-01-04 19:19:46 0 d-------- C:\Program Files\Movie Maker
2008-01-04 19:19:44 0 d-------- C:\Program Files\Microsoft Works
2008-01-04 19:19:43 0 d-------- C:\Program Files\Messenger
2008-01-04 19:19:42 0 d-------- C:\Program Files\ICQ
2008-01-01 13:11:22 0 d-------- C:\Program Files\Google
2007-12-30 13:01:56 0 d-------- C:\Program Files\Common Files\Scanner
2007-12-30 12:01:50 0 d-------- C:\Program Files\Yahoo!


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D93272-EF47-0C97-D753-6D550585703D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan "= "SOUNDMAN.EXE" [06/10/2003 04:12 AM C:\WINDOWS\soundman.exe]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/06/2004 12:49 PM]
"Microsoft Internet Acceleration Utility "= "iau.exe" []
"SSC_UserPrompt "= "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" []
"KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" []
"Internet Connection Wizard "= "stisvsq.exe" []
"Games Acceleration "= "svshost.exe" []
"Internet Mail and News "= "msqdevl.exe" []
"Microsoft Management Console "= "lssas.exe" []
"Multimedia extensions "= "mservice.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [11/15/2004 04:18 PM]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 12:04 AM]
"MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [08/13/2007 06:04 PM]
"Microsoft Internet Acceleration Utility "= "iau.exe" []
"Internet Connection Wizard "= "stisvsq.exe" []
"Games Acceleration "= "svshost.exe" []
"Internet Mail and News "= "msqdevl.exe" []
"Microsoft Management Console "= "lssas.exe" []
"Multimedia extensions "= "mservice.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pzd]
C:\WINDOWS\System32\??plorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwin32]
C:\WINDOWS\runwin32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVCHOST]
C:\WINDOWS\svchost.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usrr]
C:\Documents and Settings\Dennille Christensen\Application Data\rncr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winhost]
C:\WINDOWS\win.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wininet32]
C:\WINDOWS\wininet32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\Program Files\Common Files\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\You've Got Pictures Screensaver]
C:\Program Files\You've Got Pictures Screensaver\ygpsstra.exe




-- End of Deckard's System Scanner: finished at 2008-01-04 19:36:13 ------------

and finally...new HJT log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:30 PM, on 1/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {39D93272-EF47-0C97-D753-6D550585703D} - (no file)
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe "
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Snapfish Picture Mover.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishPictureMover.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {11111111-1111-1111-1111-111111113456} -
O16 - DPF: {11111111-1111-1111-1111-111111113457} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} - http://pak02.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.9.0.1.4.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} -
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aol123.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6843 bytes

 

Hi fortunateden

OK, I'm sorry part of that was my fault.
We need to disable SpyBot Tea Timer We'll get to that a little later.

OK About Crawler search, You may be obligated to keep this because of this program, Spyware Terminator.
It was probably in the EULA when you downloaded Spyware Terminator. So now you need to make a decision, If you keep Spyware Terminator. you keep Crawler Search.

Let me know what you want to do.

Here is some info on Crawler Search.

McAfee(R) AVERTâ„¢ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information..

Summary:
This is not a virus or Trojan. It is an adware application. Upon execution this application install itself as a browser helper object (BHO) for the internet explorer. It adds an internet explorer toolbar name "Crawler Toolbarâ€. By using the added search bar, each search will lead the user to "portal.crawler.comâ€.

Privacy:
No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application. No privacy policy related to the software could be found.

Let me know.
Geri

 

Geri,
I am fine with removing the Crawler and/or not using the host application, as I did not intentionally install it in the first place...dont think I ever agreed to a liscense aggreement. Let's get rid of it! Also wanted to thank you for being so clear on your directions. So far this has been easier than I anticipated!

 

Hi fortunateden

This may or may not be a long run here, we'll see how easy/hard some of these files will remove.

You also have a info stealer, so I need to warn you about it.

I would suggest you change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean. If you do any financial dealings with this computer Contact any credit card or banks for possible fraud on your account.

I have the next part of your fix, but there is one part I need to have checked, so I'll get back to you ASAP.

Also, After you are cleaned, you NEED to update your computer to SP2 and all critical updates, some of these may have been avoided/stopped if your system was up-to-date

I'll get back to you as soon as I get this checked.

Geri

 

I would suggest you change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean. If you do any financial dealings with this computer Contact any credit card or banks for possible fraud on your account.

Should I be worried about my financial/credit card security for dealings in the past ( before I was infected) or just worried about the times I have logged into my accts. since I have had these infections? Will I be OK to wait until Monday, when I get on my clean PC at work to Change passwords for those instututions? Is this what you meant when you said I had more than one dialer? My DSL, cable and phone is all on the same bill, and although the the actual bill out from my provider doesnt show each call, it hasnt ever seemed to have fradulent activity. Sorry, not trying to bombard you with 20 million ?'s here; just a little scared..Then to top it all off, I had a mysterious phone call from someone who called me at home and on my cell, asking about charges on my bank debit card. I did'nt provide any info, just verified I did indeed use the card at those locations. What worried me is that "private" came up on the caller ID. Just seemed suspicious, so I called my bank, and they said as long as I did'nt provide any info, I didn't need to be concerned...But now I am concerned this is coinciding with the reply you had for me about passwords/fraudelent activity, etc. I do all my bill payments for Credit cards from this computer (and my PC at work, which is clean).

 

Hi fortunateden

I believe Monday would be OK, Just the sooner the better.

Contact the bank and any credit card companies you have and let them know you were infected with a info stealer, they have options that you can do, ask them what they are.

Geri

 

Hi fortunateden

We need to disable SpyBot Tea Timer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer "(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Spyware Terminator

Please note any other programs that you dont recognize in that list and post them in your next response


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\System32\fkrbtmin.dll
C:\WINDOWS\runwin32.exe
C:\WINDOWS\svchost.exe 7
C:\WINDOWS\win.exe
C:\WINDOWS\wininet32.exe
C:\Documents and Settings\Dennille Christensen\Application Data\rncr.exe
C:\DOCUME~1\DENNIL~1\DESKTOP\SUPERG~2.EXE

Folder::
C:\Program Files\Common Files\WinTools
C:\PROGRA~1\Crawler
C:\Documents and Settings\Dennille Christensen\Application Data\Spyware Terminator
C:\Documents and Settings\All Users\Application Data\Spyware Terminator
C:\Program Files\Spyware Terminator

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D93272-EF47-0C97-D753-6D550585703D}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pzd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwin32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVCHOST]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usrr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winhost]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wininet32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\You've Got Pictures Screensaver]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Microsoft Internet Acceleration Utility "=-
 "KernelFaultCheck "=-
 "Internet Connection Wizard "=-
 "Games Acceleration "=-
 "Internet Mail and News "=-
 "Microsoft Management Console "=-
 "Multimedia extensions "=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Microsoft Internet Acceleration Utility "=-
 "Internet Connection Wizard "=-
 "Games Acceleration "=-
 "Internet Mail and News "=-
 "Microsoft Management Console "=-
 "Multimedia extensions "=-

Download
OTMoveIt2 by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Start OTMI2 agaun and type 'purity' (no quotes) into the search box on the bottom and click the MoveIt button. After it compleats close OTMoveIt2.


The below has changed, make sure you follow this one. Some entries may or may not show up.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKCU\..\Run: [supergrannyam.exe] C:\DOCUME~1\DENNIL~1\DESKTOP\SUPERG~2.EXE /r
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06972700...p/RdxIE601.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} -
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -


Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.


After that, Reboot.


Please post the combofix log that ran and a new dss log.

Thanks
Geri

 

Geri,
when I highlight and copy the contents in the codebox, (CFSscript.twxt) ,it wont let me save it to All Files (*.*). It only gives me the Word, Works, RTF files etc. options. Can I save it to a different type, or no? Also not clear on what I am doing with this photo bucket link in your last reply:

http://img.photobucket.com/albums/v6...s/CFScript.gif

 

Hi fortunateden

Looks like you are trying to use word or works.
You need to use NotePad.

not clear on what I am doing with this photo bucket link in your last reply:
sUBs must have removed the gif from photo bucket, After saving the script just drag and drop it into Combofix.exe and let it run.

Geri
OK That's wierd, my link takes you to the gif, you link says Page not found, which one are you getting?

 

Also
make sure you have CFScript.txt, not CFSscript.twxt

 

sorry geri,
Dont mean to be confused on a simple thing such as notepad, but when I go to to Start<assecories>notepad, it opens it with Windows. When I click on the logs I have on my desktop that are notepad (txt.?), it gives me the error message:


Program not found
Windows cannot find NOTEPAD.exe.
This program is needed for opening files of the type "text document "
type in the executeable files to be used instead.
Then it gives me the option to browse, and in the browse section, it defaults to C://, then when i click OK, error message again, Program NOT FOUND


Long story short, its like I no longer can access notepad.

BTW, I tried that photobucket link again, and now it is the right one I think, the gif. file of dragging and dropping right?




Once again, sorry for the holdup on this

 

Hi
OK, Now I'm a little confused.

A blank Notepad opens when you click on.

Start<assecories>notepad ?

Can you copy and paste the contents of the code box into notepad? and then save it as described?

If so, you don't have to open it again, just put your cruser on it, left click and hold the mouse button down and drag it over on top of combofix.exe and let up on the mouse button.
Combofix should start and run.

If you can't open any txt files with it we can work that out later, for now there is no txt files you need to open at this time.

Geri

 

I can't open a blank notepad, when i try, its says program not found...that is why I was asking if I could save the code to another file type.

 

Hi
OK, Go here,
http://www.kellys-korner-xp.com/xp_tweaks.htm
Locate # 326 on the left side, Restore Notepad.exe

To use the VBS Files: Download .vbs file and save it to your hard drive C:/ (you may want to right click and use Save Target As). Double click the vbs file. You will be prompted when the script is done.

Try to open a txt file again and see if it works.

Geri

 

oh dear Geri,
I was able to restore notepad! Now the bad news: after I dragged the code to the combofix icon...it deleted my Mozilla, and so here i am at my neigbors. No internet at my place..what to do?

 

Hi

Did you Close all other windows and programs.?
There was nothing in the script that had anything to do with Mozilla, unless one of the trojans corrupted the whole Mozilla program.

If it is in fact deleted (Go into add/remove programs and look) you will have to reinstall Mozilla, do you have IE on your machine? or any other browser?
If not you will have to download a copy from another computer burn it to disk or floppy if you have a floppy drive and install it that way.

Geri

 

Hi
I just seen this

You have no internet connection at all?

 

Geri,
No internet connection at all...I will go home and see if I can't reinstall Mozilla, never used IE on my PC, but I am sure it is on there, just have to install it. Was'nt sure if that would be the proper thing, since I have been using Mozilla since day one...If you don't hear back from me tonite, that means I had no luck with the internet thing, and I will follow up with this tomorrow. Guess I spoke to soon when I said "easier than anticipated "..BTW, I am certain all windows were closed