tman70 Posted July 11, 2007 Report Share Posted July 11, 2007 (edited) My son has a compaq Preario sr1012nx running Wxp home.He can not open paypal. No links work. The only thing that works is the logon link and it tells him he has to resend all his information. Thankfully he knew better. If we use https and click a link it takes us back to the scam page.Have run Trend micro online scan, adaware, spybot and avast, all updated, and found nothing.Is there anything in the Highjackthis log?Logfile of HijackThis v1.99.1Scan saved at 7:40:50 AM, on 7/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\StartupMonitor.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63dR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLLO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO3 - Toolbar: ToolbarBrand - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Hits2uToolbar\Hits2uToolbar.dllO4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - Startup: PowerReg Scheduler V3.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Edited July 20, 2007 by tman70 Quote Link to post Share on other sites
sari Posted July 12, 2007 Report Share Posted July 12, 2007 tman70,There's not much jumping out at me in your log, except for maybe some leftovers, but let's run some things and see if anything comes up.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htmThanks,sari Quote Link to post Share on other sites
tman70 Posted July 12, 2007 Author Report Share Posted July 12, 2007 Hello Sari,Here is the file.SmitFraudFix v2.203Scan done at 18:10:35.70, Thu 07/12/2007Run from C:\Documents and Settings\Owner\Desktop\smitfraudfix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\StartupMonitor.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start Menu»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1»»»»»»»»»»»»»»»»»»»»»»»» Desktop»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="My Current Home Page"»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: NVIDIA nForce MCP Networking Controller - Packet Scheduler MiniportDNS Server Search Order: 72.21.36.74Description: Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) - Packet Scheduler MiniportDNS Server Search Order: 72.21.36.74HKLM\SYSTEM\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer=72.21.36.74HKLM\SYSTEM\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer=72.21.36.74HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: DhcpNameServer=68.87.68.162 68.87.74.162HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer=72.21.36.74HKLM\SYSTEM\CS1\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer=72.21.36.74HKLM\SYSTEM\CS1\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer=72.21.36.74HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: DhcpNameServer=68.87.68.162 68.87.74.162HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer=72.21.36.74HKLM\SYSTEM\CS3\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer=72.21.36.74HKLM\SYSTEM\CS3\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer=72.21.36.74HKLM\SYSTEM\CS3\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: DhcpNameServer=68.87.68.162 68.87.74.162HKLM\SYSTEM\CS3\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer=72.21.36.74HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Quote Link to post Share on other sites
sari Posted July 13, 2007 Report Share Posted July 13, 2007 tman70,Ok, that one is clean. Let's try a more generalized scan that will show me more files.1. Download ComboFix.exe using either of these links:* bleepingcomputer.com* techsupportforum.com2. Double click on combofix.exe & follow the prompts.3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next replyNote: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Thanks,sari Quote Link to post Share on other sites
tman70 Posted July 13, 2007 Author Report Share Posted July 13, 2007 Sari,Here is the combo scan and HJT scan."Owner" - 2007-07-13 12:07:27 - ComboFix 07-07-13.8 - Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))C:\WINDOWS\system32\aimsmx.dllC:\WINDOWS\system32\aosmx.dllC:\WINDOWS\system32\gtalsmx.dllC:\WINDOWS\system32\pfxzmtaim.dllC:\WINDOWS\system32\pfxzmtgtal.dllC:\WINDOWS\system32\pfxzmticq.dllC:\WINDOWS\system32\pfxzmtymsg.dllC:\WINDOWS\system32\sfxzmtforum.dllC:\WINDOWS\system32\sfxzmtsmt.dllC:\WINDOWS\system32\sfxzmtsmtspm.dllC:\WINDOWS\system32\sfxzmtwbmail.dllC:\WINDOWS\system32\srvswc2.dllC:\WINDOWS\system32\ymsgsmx.dll((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))2007-07-13 12:06 51,200 --a------ C:\WINDOWS\nircmd.exe2007-07-12 18:10 1,290 --a------ C:\WINDOWS\system32\tmp.reg2007-07-12 18:09 53,248 --a------ C:\WINDOWS\system32\Process.exe2007-07-12 18:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe2007-07-12 18:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe2007-07-12 17:18 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-07-12 17:15 12,413,440 --a------ C:\Program Files\avgas-setup-7.5.1.43.exe2007-07-12 11:14 <DIR> d-------- C:\Program Files\a-squared Free2007-07-12 11:12 17,039,544 --a------ C:\Program Files\a2FreeSetup.exe2007-07-12 09:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab2007-07-12 09:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab2007-07-11 13:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan2007-07-11 07:59 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys2007-07-11 07:58 <DIR> d-------- C:\WINDOWS\LastGood2007-07-10 20:21 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.62007-07-10 17:34 73,641,510 --a------ C:\regrestore.reg2007-07-10 17:00 <DIR> d-------- C:\WINDOWS\pss2007-07-10 13:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Leadertech2007-07-09 16:39 251,392 --a------ C:\Program Files\hijackthis_sfx.exe2007-07-09 10:36 <DIR> d-------- C:\Program Files\Microsoft.NET2007-07-09 10:36 <DIR> d-------- C:\Program Files\Microsoft ActiveSync2007-07-07 12:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Template2007-07-01 10:11 <DIR> d-------- C:\Program Files\Apense Express2007-06-17 11:32 <DIR> d-------- C:\Program Files\Flickr Uploadr(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-07-11 02:23:12 -------- d-----w C:\Program Files\AM Browser2007-07-11 00:20:25 -------- d-----w C:\Program Files\SpywareBlaster2007-07-10 19:15:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Sonic2007-07-10 01:03:57 0 ----a-w C:\WINDOWS\system32\dummy.dat2007-07-10 01:02:52 -------- d-----w C:\Program Files\Google2007-07-10 00:12:49 -------- d--h--w C:\Program Files\InstallShield Installation Information2007-07-10 00:12:36 -------- d-----w C:\Program Files\Quicken2007-07-10 00:11:00 -------- d-----w C:\Program Files\MySpace2007-07-10 00:10:33 -------- d-----w C:\Program Files\MUSICMATCH2007-07-07 18:19:55 -------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll2006-11-08 03:00:43 136,844 ----a-w C:\Program Files\getFile.asp2006-11-07 15:57:40 54,272 ----a-w C:\Program Files\Cleanup Saves Cookies 2K,XP incl Java.exe2006-11-06 23:22:52 703,829 ----a-w C:\Program Files\ambrowser.exe2006-11-06 20:18:22 248,200 ----a-w C:\Program Files\xxcopy.zip2006-11-06 18:01:33 1,035,200 ----a-w C:\Program Files\wpsetup.exe2006-11-06 18:01:29 297,192 ----a-w C:\Program Files\wmpplugin.exe2006-11-06 18:01:29 2,417,824 ----a-w C:\Program Files\winzip90.exe2006-11-06 18:01:03 61,410 ----a-w C:\Program Files\StartupMonitor.zip2006-11-06 18:01:03 58,671 ----a-w C:\Program Files\StartupCPL.zip2006-11-06 18:00:54 528 ----a-w C:\Program Files\SETUP.ISS2006-11-06 18:00:54 320,584 ----a-w C:\Program Files\RegSeeker.zip2006-11-06 18:00:54 30,720 ----a-w C:\Program Files\REGSVR32.EXE2006-11-06 18:00:54 29,959 ----a-w C:\Program Files\regsv32a.exe2006-11-06 18:00:54 23,552 ----a-w C:\Program Files\SetCDfmt.exe2006-11-06 18:00:54 2,036 ----a-w C:\Program Files\Setup.ini2006-11-06 18:00:54 156,824 ----a-w C:\Program Files\SETUP.INX2006-11-06 18:00:54 139,264 ----a-w C:\Program Files\Setup.exe2006-11-06 18:00:54 1,239 ----a-w C:\Program Files\REGSV32A.TXT2006-11-06 18:00:53 3,087 ----a-w C:\Program Files\README.TXT2006-11-06 18:00:51 6,113,439 ----a-w C:\Program Files\pci_filerecovery.exe2006-11-06 18:00:48 3,846,436 ----a-w C:\Program Files\ow32enen802.exe2006-11-06 17:59:07 1,938,558 ----a-w C:\Program Files\maxblast4.exe2006-11-06 17:58:57 14,480,772 ----a-w C:\Program Files\Legacy40.exe2006-11-06 17:58:56 422 ----a-w C:\Program Files\LAYOUT.BIN2006-11-06 17:58:51 16,508,560 ----a-w C:\Program Files\jre-1_5_0_09-windows-i586-p.exe2006-11-06 17:58:30 4,928,507 ----a-w C:\Program Files\intel82801.zip2006-11-06 17:58:24 339,565 ----a-w C:\Program Files\IKERNEL.EX_2006-11-06 17:58:24 2,564,187 ----a-w C:\Program Files\ieSpellSetup211325.exe2006-11-06 17:58:24 1,577,619 ----a-w C:\Program Files\infinst_enu.exe2006-11-06 17:58:22 511,616 ----a-w C:\Program Files\ie5setup.exe2006-11-06 17:58:22 508,240 ----a-w C:\Program Files\ie6setup.exe2006-11-06 17:58:22 302,592 ----a-w C:\Program Files\ie-spyad.exe2006-11-06 17:58:22 288,093 ----a-w C:\Program Files\icon_restore.exe2006-11-06 17:58:22 2,122,429 ----a-w C:\Program Files\fsc130.exe2006-11-06 17:58:21 11,079 ----a-w C:\Program Files\folder.htt2006-11-06 17:58:20 5,127,800 ----a-w C:\Program Files\Firefox Setup 1.5.0.7.exe2006-11-06 17:58:13 925,184 ----a-w C:\Program Files\epsetup.exe2006-11-06 17:58:13 2,995,547 ----a-w C:\Program Files\everesthome200.exe2006-11-06 17:58:11 433,971 ----a-w C:\Program Files\enditall.exe2006-11-06 17:58:09 12,425,080 ----a-w C:\Program Files\dklite.exe2006-11-06 17:58:08 5,079,040 ----a-w C:\Program Files\Diskeeper Lite.msi2006-11-06 17:58:07 867,386 ----a-w C:\Program Files\DATA1.CAB2006-11-06 17:58:07 512 ----a-w C:\Program Files\DATA2.CAB2006-11-06 17:58:07 27,058 ----a-w C:\Program Files\DATA1.HDR2006-11-06 17:58:06 172,032 ----a-w C:\Program Files\CrucialScan.exe2006-11-06 17:57:20 714,827 ----a-w C:\Program Files\cbsetup.exe2006-11-06 17:57:19 618,936 ----a-w C:\Program Files\belarcadvisor v6.1f.exe2006-11-06 17:57:17 335,624 ----a-w C:\Program Files\ba.exe2006-11-06 17:57:14 1,033,579 ----a-w C:\Program Files\autostitch.zip2006-11-06 17:57:00 1,822,312 ----a-w C:\Program Files\AiRoboForm5.7.exe2006-11-06 17:56:45 351,192 ----a-w C:\Program Files\adrmpro2.exe2006-11-06 17:56:18 19,879,224 ----a-w C:\Program Files\AdbeRdr602_ece_full.exe2006-11-06 17:56:15 1,819,984 ----a-w C:\Program Files\Acro-Reader_603_Update.exe2006-11-06 17:56:14 1,391,254 ----a-w C:\Program Files\absetup131.exe2006-11-06 17:56:13 1,166,330 ----a-w C:\Program Files\absetup100035.exe2006-11-06 17:56:02 7,113,909 ----a-w C:\Program Files\4110293.zip2006-11-06 17:56:01 417,104 ----a-w C:\Program Files\329115USA8.EXE2006-11-06 01:11:17 278,927,592 ----a-w C:\Program Files\WindowsXP-KB835935-SP2-ENU.exe2006-11-05 21:21:59 5,037,072 ----a-w C:\Program Files\spybotsd14.exe2006-11-05 21:19:54 12,099,848 ----a-w C:\Program Files\setupeng.exe2006-11-05 21:03:49 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe2006-11-05 21:00:26 2,566,736 ----a-w C:\Program Files\spywareblastersetup351.exe2006-11-05 20:53:20 5,900,416 ----a-w C:\Program Files\Firefox Setup 2.0.exe((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]2003-05-15 09:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A519CE41-E431-407D-8A79-B8FA3FBEBD0A}]2007-02-20 02:36 868424 --a------ C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 09:42][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]"100"=C:\SysMa2\svchost.exe[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 06:29][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cf84f7c-6d32-11db-918d-806d6172696f}]AutoRun\command- D:\Info.exe folder.htt 480 480*Newly Created Service* - A2FREE*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD*Newly Created Service* - CO_MON**************************************************************************catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-07-13 12:10:00Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden files: 0**************************************************************************Completion time: 2007-07-13 12:11:05C:\ComboFix-quarantined-files.txt ... 2007-07-13 12:10 --- E O F ---Logfile of HijackThis v1.99.1Scan saved at 12:13:56 PM, on 7/13/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\StartupMonitor.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63dR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLLO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Quote Link to post Share on other sites
sari Posted July 14, 2007 Report Share Posted July 14, 2007 (edited) tman70,Show Hidden Files * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK.I'd like you to see if you can find the following file:C:\SysMa2\svchost.exeIf so, please do the following:Right click on the folder - c:\SysMa2 - and select Send to Compressed Folder. It will create a zipped folder in the same directory.Please go to Uploadmalware to upload a suspicious file for analysis. Enter your username from this forumCopy and paste the link to this threadBrowse for the zipped folder you just created in c:\SysMa2In the comments, please mention that I asked you to upload this fileClick on Send FileThe combofix program did clean some files up - you had an email trojan. However, I don't like the looks of that above entry, and I'd like to get it analyzed if possible.Thanks,sari Edited July 14, 2007 by sari Quote Link to post Share on other sites
tman70 Posted July 14, 2007 Author Report Share Posted July 14, 2007 tman70,Show Hidden Files * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK.I'd like you to see if you can find the following file:C:\SysMa2\svchost.exeIf so, please do the following:Right click on the folder - c:\SysMa2 - and select Send to Compressed Folder. It will create a zipped folder in the same directory.Please go to Uploadmalware to upload a suspicious file for analysis. Enter your username from this forumCopy and paste the link to this threadBrowse for the zipped folder you just created in c:\SysMa2In the comments, please mention that I asked you to upload this fileClick on Send FileThe combofix program did clean some files up - you had an email trojan. However, I don't like the looks of that above entry, and I'd like to get it analyzed if possible.Thanks,sariSariI did the first steps and then went to c drive. There is nothing showing in the folder and if I right click and send to compressed folder it says the folder is empty and can not be archived. In the left hand panel the detail panel says " attribute:hidden".What should I do now? Quote Link to post Share on other sites
sari Posted July 17, 2007 Report Share Posted July 17, 2007 tman70,I believe that's telling me that file no longer exists - there's a registry entry pointing to it, but the file itself is gone, which is a good thing (except I would have like to have known what it was!). The attributes were hidden because it was a hidden directory - even though you had unhidden everything, the attributes would remain the same.Are you still having the redirections on secure links?sari Quote Link to post Share on other sites
tman70 Posted July 17, 2007 Author Report Share Posted July 17, 2007 (edited) tman70,I believe that's telling me that file no longer exists - there's a registry entry pointing to it, but the file itself is gone, which is a good thing (except I would have like to have known what it was!). The attributes were hidden because it was a hidden directory - even though you had unhidden everything, the attributes would remain the same.Are you still having the redirections on secure links?sariSariThank you for explaining. I thought that was the reason, but was not sure.I don't know what my son deleted when he started having problems. He goes on to work and lets me figure out how to correct the problems. LOLThe original paypal page will come up with the lock at the lower right bottom.However when you click a link it takes you to a log in pagewithout the lock.The certificate for Paypal is still snakeoil.domI ran a Kaspersky scan yesterday and it says the only virus he has is:Smitfraudfix\reboot.exe (which we know what that is)andc\hp\bin\killwind.exe (which is a compaq program he doesn't need and will be removed later)There is a registry key:HKEY_Current_User\software\microsoft\windows\current version\policies\explorer\run\c:\SysMa2\svchost.exeShould I delete this key or is there something else i should do first? Edited July 17, 2007 by tman70 Quote Link to post Share on other sites
sari Posted July 18, 2007 Report Share Posted July 18, 2007 tman70,We'll get rid of the key, but since that file seems to be gone, I don't think it's the issue. I'm trying to do some research on other ways to get rid of this. In the meantime, I want you to run a rootkit scanner.Download GMER from here:http://www.gmer.net/files.phpUnzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.Thanks,sari Quote Link to post Share on other sites
tman70 Posted July 18, 2007 Author Report Share Posted July 18, 2007 sariHere is the file from the GMER program.GMER 1.0.13.12551 - http://www.gmer.netRootkit scan 2007-07-18 11:55:53Windows 5.1.2600 Service Pack 2---- System - GMER 1.0.13 ----SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcessSSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcessAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F738DF74] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F738C812] aswMon2.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F738DF74] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F738C812] aswMon2.SYSAttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F738C812] aswMon2.SYS---- EOF - GMER 1.0.13 ---- Quote Link to post Share on other sites
sari Posted July 18, 2007 Report Share Posted July 18, 2007 tman70,Well, nothing is showing there. I'm going to have you run scan that is similar to the combofix I had you run, but should be more detailed.Please download Deckard's System Scanner (DSS) and save it to your Desktop.Close all other windows before proceeding.Double-click on dss.exe and follow the prompts.When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.Thanks,sari Quote Link to post Share on other sites
tman70 Posted July 18, 2007 Author Report Share Posted July 18, 2007 tman70,Well, nothing is showing there. I'm going to have you run scan that is similar to the combofix I had you run, but should be more detailed.Please download Deckard's System Scanner (DSS) and save it to your Desktop.Close all other windows before proceeding.Double-click on dss.exe and follow the prompts.When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.Thanks,sariSariHere are the main.txt and extra.txt filesThanks for all your help.main.txtDeckard's System Scanner v20070711.54Run by Owner on 2007-07-18 at 14:29:18Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2007-07-18 20:29:31 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Owner.exe) -----------------------------------------------Logfile of HijackThis v1.99.1Scan saved at 2:31:53 PM, on 7/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\StartupMonitor.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\svchost.exeC:\Documents and Settings\Owner\Desktop\dss.exeC:\PROGRA~1\HIJACK~1\Owner.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63dR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLLO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)S3 CO_Mon - c:\windows\system32\drivers\co_mon.sysS3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------All services whitelisted.-- Files created between 2007-06-18 and 2007-07-18 -----------------------------2007-07-18 12:04:11 0 d-------- C:\Documents and Settings\Default User\Recent2007-07-18 12:04:09 0 d-------- C:\Documents and Settings\Owner\Recent2007-07-17 09:32:06 74159012 --a------ C:\regrestore.reg2007-07-12 18:10:48 1290 --a------ C:\WINDOWS\system32\tmp.reg2007-07-12 18:09:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>2007-07-12 18:09:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe2007-07-12 17:18:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft2007-07-12 17:18:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft2007-07-12 11:14:53 0 d-------- C:\Program Files\a-squared Free2007-07-12 09:58:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab2007-07-12 09:58:17 0 d-------- C:\WINDOWS\system32\Kaspersky Lab2007-07-11 13:48:57 0 d-------- C:\WINDOWS\system32\ActiveScan2007-07-11 07:59:07 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys2007-07-10 20:21:12 0 d-------- C:\Documents and Settings\Owner\.housecall6.62007-07-10 17:00:07 0 d-------- C:\WINDOWS\pss2007-07-10 13:14:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Leadertech2007-07-09 16:39:52 251392 --a------ C:\Program Files\hijackthis_sfx.exe2007-07-09 10:36:58 0 d-------- C:\Program Files\Microsoft ActiveSync2007-07-09 10:36:56 0 d-------- C:\Program Files\Microsoft.NET2007-07-07 12:23:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Template2007-07-01 10:11:49 0 d-------- C:\Program Files\Apense Express-- Find3M Report ---------------------------------------------------------------2007-07-10 20:23:12 0 d-------- C:\Program Files\AM Browser2007-07-10 18:20:25 0 d-------- C:\Program Files\SpywareBlaster2007-07-10 13:15:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Sonic2007-07-09 19:03:57 0 --a------ C:\WINDOWS\system32\dummy.dat2007-07-09 19:02:52 0 d-------- C:\Program Files\Google2007-07-09 18:12:49 0 d--h----- C:\Program Files\InstallShield Installation Information2007-07-09 18:12:36 0 d-------- C:\Program Files\Quicken2007-07-09 18:11:00 0 d-------- C:\Program Files\MySpace2007-07-09 18:10:33 0 d-------- C:\Program Files\MUSICMATCH2007-07-07 12:19:55 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint2007-07-01 09:12:07 0 d-------- C:\Program Files\Java2007-06-17 11:32:05 0 d-------- C:\Program Files\Flickr Uploadr-- Registry Dump ---------------------------------------------------------------[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll{A519CE41-E431-407D-8A79-B8FA3FBEBD0A} C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]"Run StartupMonitor"="StartupMonitor.exe""avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]"100"="C:\\SysMa2\\svchost.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]"eitheror"="{2016a466-91a2-43c6-97d8-2fd380f065ef}"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\ Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\ Notification Packages REG_MULTI_SZ scecli\HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware DriverHKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\NetworkService REG_MULTI_SZ DnsCache\rpcss REG_MULTI_SZ RpcSs\imgsvc REG_MULTI_SZ StiSvc\termsvcs REG_MULTI_SZ TermService\HTTPFilter REG_MULTI_SZ HTTPFilter\DcomLaunch REG_MULTI_SZ DcomLaunchTermService\-- End of Deckard's System Scanner: finished at 2007-07-18 at 14:33:27 ---------extra.txtDeckard's System Scanner v20070711.54Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Home Edition (build 2600) SP 2.0Architecture: X86; Language: EnglishCPU 0: AMD Athlon XP 3000+Percentage of Memory in Use: 79%Physical Memory (total/avail): 191.36 MiB / 38.42 MiBPagefile Memory (total/avail): 490.55 MiB / 254.25 MiBVirtual Memory (total/avail): 2047.88 MiB / 1975.05 MiBA: is Removable (No Media)C: is Fixed (NTFS) - 70.31 GiB total, 61.82 GiB free. D: is Fixed (FAT32) - 4.2 GiB total, 0.69 GiB free. E: is CDROM (No Media)F: is CDROM (No Media)H: is Removable (No Media)I: is Removable (No Media)J: is Removable (No Media)K: is Removable (No Media)-- Security Center -------------------------------------------------------------AUOptions is set to notify before install.Windows Internal Firewall is enabled.AV: avast! antivirus 4.7.1001 [VPS 000757-3] v4.7.1001 (ALWIL Software)[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List][HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\Owner\Application DataCLIENTNAME=ConsoleCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=DAVIDComSpec=C:\WINDOWS\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\OwnerLOGONSERVER=\\DAVIDNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMDPROCESSOR_LEVEL=6PROCESSOR_REVISION=0a00ProgramFiles=C:\Program FilesPROMPT=$P$GSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\Owner\LOCALS~1\TempTMP=C:\DOCUME~1\Owner\LOCALS~1\TempUSERDOMAIN=DAVIDUSERNAME=OwnerUSERPROFILE=C:\Documents and Settings\Ownerwindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------Owner (admin)-- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature --> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19} --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe" --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe" --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe" --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.infa-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOGAdd/Remove Pro --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\ADRMPRO2.INF, DefaultUninstall.ntx86Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -qAdobe Photoshop Album Starter Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{483616D1-867E-46F8-BEC7-3C6475933908}\apxp.ex_" -l0x9 Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}Agere Systems PCI Soft Modem --> agrsmdelAM Browser version 2.0.1 --> "C:\Program Files\AM Browser\unins000.exe"Apsense Express --> C:\Program Files\Apense Express\uninst.exeavast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetupAVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exeBounce Symphony from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe"Compaq Connections --> C:\WINDOWS\BWUnin-6.2.3.66L.exe -AppId 1940576Compaq Instant Support --> C:\PROGRA~1\COMPAQ~2\UNWISE.EXE C:\PROGRA~1\COMPAQ~2\INSTALL.LOGCompaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALLEasy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0613467F-A45E-4CB1-9ECE-1F3DD79FB927} /l1033 End It All --> C:\PROGRA~1\EndItAll\UNWISE.EXE C:\PROGRA~1\EndItAll\INSTALL.LOGExcavation from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C679AA5F-C2C8-4EA8-9CD1-504A39AEC264\Uninstall.exe"Flickr Uploadr 2.5.0.15 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstallHP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.datHP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.datHP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.datHP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}Icon Restore 1.0 --> C:\WINDOWS\unins000.exeIntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9 InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALLIrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exeJ2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}Java SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exeKBD --> C:\HP\KBD\KBD.EXE uninstalledLexmark X74-X75 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBBUN5C.EXE -dLexmark X74-X75Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}MGI PhotoSuite 4 (Remove Only) --> "C:\Program Files\MGI\MGI PhotoSuite 4\System\MGIUninstall.exe" C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\MGI PhotoSuite 4\Uninst.isu" -c"C:\Program Files\MGI\MGI PhotoSuite 4\System\CustomUninstall.dll"Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}Microsoft Word 2000 SR-1 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}Microsoft Works 2001 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe E:\Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exeMultimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF9967D8-1999-4260-ACC2-86901AA36650} Norton PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502} NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display DriverNVIDIA Ethernet Driver --> C:\WINDOWS\System32\nvuenet.exe Uninstall C:\WINDOWS\System32\Nvenet.nvu,NVIDIA Ethernet DriverNVIDIA GART Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART DriverOrbital from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\Uninstall.exe"Otto from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8A225900-C06D-41DD-B66C-43840D472758\Uninstall.exe"Overball from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe"PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe" PC Inspector File Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9 Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.datPolar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games5E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"PS2 --> C:\WINDOWS\system32\ps2.exe uninstallPython 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.logPython 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOGQuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.logRealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe"Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOGSpybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"StartupMonitor --> MsiExec.exe /I{76EFAC4F-1712-401F-B2AE-590B170C9BCE}ToolbarBrand --> regsvr32 /u /s "C:\Program Files\Hits2uToolbar\Hits2uToolbar.dll" Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /uYahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exeYahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLLYahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dllYahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOGYahoo! Photos Easy Upload Tool --> C:\Program Files\Yahoo!\Common\ydropper_uninst.exe /ylog=C:\PROGRA~1\Yahoo!\Photos\Uploader\install.logYahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"Yahoo! Photos Print-at-Home Tool --> C:\WINDOWS\unins001.exeYahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe-- End of Deckard's System Scanner: finished at 2007-07-18 at 14:33:27 ---------Thanks Tman70 Quote Link to post Share on other sites
sari Posted July 19, 2007 Report Share Posted July 19, 2007 tman,Several questions for you.1) Is this computer networked, and do you have a router2) Is Comcast your ISP?I have some things for you to try - I'm putting them together in a response right now. However, there is a suspicious IP address that might be the source of your issue.sari Quote Link to post Share on other sites
tman70 Posted July 19, 2007 Author Report Share Posted July 19, 2007 tman,Several questions for you.1) Is this computer networked, and do you have a router2) Is Comcast your ISP?I have some things for you to try - I'm putting them together in a response right now. However, there is a suspicious IP address that might be the source of your issue.sarisariComcast is our ISP.His computer is not networked.We are both connected through the same 4 port router.Linksysmodel #BEFSR41 ver.2We can access our respective paypal accounts from my computer as it has the paypal certificate.His computer still has the snakeoil.dom certificate.Is there any other information you need?Tman70 Quote Link to post Share on other sites
sari Posted July 19, 2007 Report Share Posted July 19, 2007 tman70,What we're going to do is reset your network information, especially your DNS servers. The following line appears to be redirecting you:O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74If I look up that address, it appears to go to a company called Layered Tech, in Texas, but it actually resolves to a Brazilian address. This is what I'd like you to do. You may want to print these instructions, as I'm going to have you go offline for part of the fix.Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74Now close all windows other than HiJackThis, then click Fix Checked. I'm going to want you to shut off your router and your PCs for a while - at least an hour. Before you do, however, I need you to do the following on each PC:Go to Start > Run and type cmd.Type ipconfig /flushdns and hit enter.Shut off your PCs. When you turn them back on, repeat the above command. Then type:ipconfig /renewThat will get new network addresses for you. I know your PC is ok, but I'd rather clear them both and your router to be on the safe side.After you've done that, please post a new hijackthis log and let me know if you can access Paypal properly on your son's machine.Also, could you ask your son what files, if any, he deleted? I'd be curious to know if there was something he could pinpoint that might have been the source of this.If you have any questions about my instructions, please ask before you follow them.Thanks,sari Quote Link to post Share on other sites
tman70 Posted July 19, 2007 Author Report Share Posted July 19, 2007 sariShould I power down the cable modem also?Tman70 Quote Link to post Share on other sites
sari Posted July 19, 2007 Report Share Posted July 19, 2007 tman,Sure. I want to clear all the network equipment of any existing IP addresses. Quote Link to post Share on other sites
tman70 Posted July 19, 2007 Author Report Share Posted July 19, 2007 tman,Sure. I want to clear all the network equipment of any existing IP addresses.sari,Thank you so much. What a relief.That has eliminated the problem. Paypal site now works and the certificate is for paypal. My son had already changed his name and password thru my computer when this started so I guess he is safe there.However he does not remember what he removed with the spyware and virus programs.Do I need a special uninstaller for the programs you had me download to his desktopdss.exe-smitfraudfix-GMER-combofixor do I just delete them and do search in the registry for left overs?Now I am going to start checking on removing a lot of compaq programs he doesn't need and see if I can clean his computer a little better.Thanks again for the time and effort you put into this.Tman70 :thumbsup: :thumbsup: :thumbsup: Here is the HJT logLogfile of HijackThis v1.99.1Scan saved at 4:58:02 PM, on 7/19/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\StartupMonitor.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\WordWeb\wweb32.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63dR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLLO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exeO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Quote Link to post Share on other sites
sari Posted July 20, 2007 Report Share Posted July 20, 2007 tman70,You can just delete the programs I had you download.Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)Now close all windows other than HiJackThis, then click Fix Checked. That's just a leftover, but no point in leaving it in there. I'm glad everything is good now - it's not fun thinking your PC is compromised like that. I'm glad I could be of assistance.sari Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.