Jump to content
Sign in to follow this  
tcrumbly

Missing tray Icons, Norton Disabled, can't get to Network

Recommended Posts

My son's desktop started missing some icons in the system tray, related to Norton, and dial up internet. Some software stopped working all together. Now, when the ISP is dialed, We get a connection, but the homepage does not show up on the web browser.

 

Norton did report several viruses including Vundo, InfoStealer.....I'm on a not infected machine and don't have the log here. Can post later if I can get norton to come up. It sometimes starts, if we keep

restarting the PC. Here is a HiJack Log...

 

Logfile of HijackThis v1.99.1

Scan saved at 6:00:38 PM, on 5/22/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

D:\ProgramFiles\Norton AntiVirus\navapsvc.exe

D:\ProgramFiles\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\VM_STI.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

C:\Program Files\ISP.COM High Speed\slipcore.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

D:\ProgramFiles\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\ISP.COM High Speed\slipgui.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isp.com/members/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\ProgramFiles\Norton AntiVirus\NavShExt.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll

O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll

O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\ProgramFiles\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/327

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/328

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O15 - Trusted Zone: www.bankofamerica.com

O15 - Trusted Zone: www.bonddesk.com

O15 - Trusted Zone: www.bullionvault.com

O15 - Trusted Zone: www.bulltrade.com

O15 - Trusted Zone: *.online.cardmemberservices.com

O15 - Trusted Zone: www.chase.com

O15 - Trusted Zone: www.chaseonline.chase.com

O15 - Trusted Zone: *.chase.com

O15 - Trusted Zone: www.continental.com

O15 - Trusted Zone: *.continental.com

O15 - Trusted Zone: *.daysinnlebanon.com

O15 - Trusted Zone: *.dpsoft.com

O15 - Trusted Zone: *.ericsson.net

O15 - Trusted Zone: *.esquotes.com

O15 - Trusted Zone: www.etrade.com

O15 - Trusted Zone: www.everbank.com

O15 - Trusted Zone: *.faa.gov

O15 - Trusted Zone: *.fatwallet.com

O15 - Trusted Zone: www.goldmoney.com

O15 - Trusted Zone: www.hotmail.com

O15 - Trusted Zone: *.hotmail.com

O15 - Trusted Zone: *.https

O15 - Trusted Zone: *.investing-systems.com

O15 - Trusted Zone: *.irs.gov

O15 - Trusted Zone: http://www.isp.com

O15 - Trusted Zone: *.isp.com

O15 - Trusted Zone: virusscan.jotti.org

O15 - Trusted Zone: *.latindiscounters.com

O15 - Trusted Zone: *.lexmark.com

O15 - Trusted Zone: http://by122w.bay122.mail.live.com

O15 - Trusted Zone: http://onecare.live.com

O15 - Trusted Zone: *.mapquest.com

O15 - Trusted Zone: *.marvell.com

O15 - Trusted Zone: *.motorola.com

O15 - Trusted Zone: http://by109fd.bay109.hotmail.msn.com

O15 - Trusted Zone: http://by114fd.bay114.hotmail.msn.com

O15 - Trusted Zone: http://by135fd.bay135.hotmail.msn.com

O15 - Trusted Zone: http://by19fd.bay19.hotmail.msn.com

O15 - Trusted Zone: www.hotmail.msn.com

O15 - Trusted Zone: *.netfaqs.com

O15 - Trusted Zone: *.nhti.edu

O15 - Trusted Zone: *.nmfn.com

O15 - Trusted Zone: *.northwesternmutual.com

O15 - Trusted Zone: http://*.stockcharts.com

O15 - Trusted Zone: *.stocksignalpro.com

O15 - Trusted Zone: *.symantec.com

O15 - Trusted Zone: www.t-mobile.com

O15 - Trusted Zone: *.t-mobile.com

O15 - Trusted Zone: www.techguy.org

O15 - Trusted Zone: *.techguy.org

O15 - Trusted Zone: *.thestreet.com

O15 - Trusted Zone: *.treasurydirect.gov

O15 - Trusted Zone: *.virustotal.com

O15 - Trusted Zone: www.etrade.wallst.com

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.ericsson.net/dana-cac...erSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E22BE2EE-E9C3-45C1-8359-5246381A93E1}: NameServer = 209.210.176.9 209.210.176.8

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\ProgramFiles\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\ProgramFiles\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\ProgramFiles\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Any help would be appreciated :thud:

Share this post


Link to post
Share on other sites

Hi and welcome

 

I see two active and running Firewalls?

Norton AntiVirus Firewall

Zone Labs Firewall

 

This can lead to major conflicts and issues which can leave a computer not running as it should, along with resources running the CPU to high useage.

 

Is your subscription to Norton valid and up to date?

One needs to be disabled or uninstalled. If you need to remove your Nortons package let me know and I can provide a removal tool and supply you with a list of free Antivirus and Firewall software if needed.

 

 

 

Download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

 

please post the ComboFix log and a new HJT log

Share this post


Link to post
Share on other sites

Hi Thanks,

My Norton was going to expire. My plans were to switch over to Norton 360...but then I got

hit by this trojan. Its going to expire any day now...so I might as well de-install it and install one

of your recommended scanners.

 

I loaded on Zone Alarm, because Norton failed to stop the trojan from accessing the internet. I can

watch it working on the TaskMgr/Networking meter, and from TCPview.

 

If I end up reformatting the drive, I'll load on Norton 360.

 

If you can reply with your scan recommendation, I'll load it on. The computer is remote, so I can only get on it at night.

 

I'll run combofix and "Hijack This" in non-"safemode"...right!?

 

The reason I ask, is that the PC only runs stabile in safe-mode. Looks like only a matter of time where it won't boot outside of safe mode. Each time it boots, it takes longer, and longer before the ICONs come up. I can't use F8 (the advance menu won't come up) to enter safe mode, I have to use msconfig and the BOOT.INI/SAFEBOOT setting to get there.

 

Any chance I can run Hijack This and combofix in safemode? I know the PC will come back up after it boots.

 

 

:)

Share this post


Link to post
Share on other sites

Welcome back

 

Can you remember the name of the trojan?

 

 

If things can only be run in safe mode for the time being thats what we will have to do.

 

What I suggest now is

Download to desktop an Antivirus.....don't install yet

You already have the Firewall

 

 

AVG,

Avira

Avast!

Clamwin's Free AntiVirus

Are good free Antivirus, Never install more than one antivirus scanner or on your system.

 

 

 

 

 

 

Download the Norton uninstall tool to desktop...don't use it yet.

 

To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, and follow them after uninstalling NAV:

How to uninstall Norton AntiVirus 2004/2005/2006

(note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)

How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition

How to uninstall Norton AntiVirus 2000/2001/2002

 

You can also add this article/tutorial in the removal instructions in case there are additional problems after/during removing Norton:

http://basconotw.mvps.org/SymRem.htm

uninstalling Symantec applications

 

 

Disconnect your computer from the internet...via cable or DSL so no connection is open.

 

Go to Add/Remove programs and uninstall what you can there first....

Go to desktop and run the Nortons removal tool....

 

Next install the Antivirus you downloaded to desktop and install.

Connect back to the internet and check for virus definition updates then run a complete scan.

Allow it to delete or quarantine anything it finds.

 

 

Then continue with the ComboFix scan.

Share this post


Link to post
Share on other sites

Hi , I've got the log files. unfortunately, my son's user name is in some of the paths of the log files

so I've replaced them with xxxx xxxxx.....just so you know.

 

so, I've removed Norton and then used the removal tool as you said.

 

Then I installed AVG and ran a scan. I guess Norton removed the infection to a point where

AVG couldn't detect any infection.

 

Then I ran Combo fix...

 

 

 

Norton follows....

Norton Quarantine and Restore Report

Created: Wednesday, May 30, 2007 6:10:26 PM

------------------------------------------------------------------------------

 

File Name

Location

Status Size Risk Name

User Name Machine Name Domain

Date Quarantined

Submitted to Symantec

 

------------------------------------------------------------------------------

 

noname.htm

D:\Temp\Tools04-CD1\DVDTools\DvdEdit

Backup 7.11 KB Adware.Istbar

-DESKTOP WIN

Thursday, May 17, 2007 9:44:05 PM

Not submitted

 

------------------------------------------------------------------------------

 

win1B0.tmp.exe

C:\WINDOWS\Temp

Backup of an infected file 69.5 KB Downloader.Trojan

-DESKTOP WIN

Sunday, May 20, 2007 8:54:00 PM

Not submitted

 

------------------------------------------------------------------------------

 

win1A5.tmp.exe

C:\WINDOWS\Temp

Quarantined 26.0 KB Trojan Horse

-DESKTOP WIN

Monday, May 21, 2007 6:14:53 PM

Not submitted

 

------------------------------------------------------------------------------

 

DUMMY_FILE

 

Backup of an infected file 0 bytes Unknown (DUMMY_FILE)

-DESKTOP WIN

Monday, May 21, 2007 6:42:14 PM

Not submitted

 

------------------------------------------------------------------------------

 

stopinst.exe

C:\Program Files\Free Downloads Accelerator\0.999

Backup 38.1 KB SecurityRisk.Downldr

-DESKTOP WIN

Thursday, May 17, 2007 8:59:27 PM

Not submitted

 

------------------------------------------------------------------------------

 

AVICodecPackLite3.exe

D:\Temp

Backup 1.38 MB Adware.WebDir

-DESKTOP WIN

Thursday, May 17, 2007 9:31:06 PM

Not submitted

 

------------------------------------------------------------------------------

 

STRBRUIR.DLL

C:\Documents and Settings\ \My Documents\RegRun2\quarantine

Backup of an infected file 48.0 KB Trojan.Vundo

-DESKTOP WIN

Monday, May 21, 2007 6:01:56 PM

Not submitted

 

------------------------------------------------------------------------------

 

mst1AF.tmp

C:\WINDOWS\Temp

Quarantined 91.5 KB Trojan Horse

-DESKTOP WIN

Sunday, May 20, 2007 8:53:58 PM

Not submitted

 

------------------------------------------------------------------------------

 

yazzle1162oinadmin.exe

c:\program files\common files

Backup 143 KB Adware.Purityscan

-DESKTOP WIN

Monday, May 21, 2007 6:17:29 PM

Not submitted

 

------------------------------------------------------------------------------

 

yaequfkm.dll

c:\WINDOWS\system32

Backup 59.5 KB Adware.Purityscan

-DESKTOP WIN

Sunday, May 20, 2007 9:23:12 PM

Not submitted

 

------------------------------------------------------------------------------

 

drvdof.dll

C:\WINDOWS\system32

Quarantined 91.5 KB Trojan Horse

-DESKTOP WIN

Sunday, May 20, 2007 8:52:46 PM

Not submitted

 

------------------------------------------------------------------------------

 

DUMMY_FILE

 

Backup 0 bytes Unknown (DUMMY_FILE)

-DESKTOP WIN

Thursday, May 17, 2007 9:44:12 PM

Not submitted

 

------------------------------------------------------------------------------

 

oiuninstaller.exe

i:

Backup 107 KB Adware.MediaTicket

-DESKTOP WIN

Monday, May 21, 2007 6:43:09 PM

Not submitted

 

------------------------------------------------------------------------------

 

k.exe

 

Backup 34.0 KB Adware.VirtuMonde

-DESKTOP -DESKTOP

Friday, May 25, 2007 6:24:08 PM

Not submitted

 

------------------------------------------------------------------------------

 

Then ComboFix

"xxxx xxxx" - 2007-05-30 19:06:22 Service Pack 2

ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\xxxx xxxx\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

 

-- Purity Folders:

 

C:\WINDOWS\system32\YMANTE~1

 

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))

 

 

2007-05-30 18:05 <DIR> d-------- C:\ScanUtils5_22

2007-05-29 20:07 86,016 --a------ C:\WINDOWS\system32\sliprt.dll

2007-05-29 20:07 <DIR> d-------- C:\Program Files\ISP.COM High Speed

2007-05-29 20:01 <DIR> d-------- C:\Program Files\LookInMyPC

2007-05-22 17:04 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\SUPERAntiSpyware.com

2007-05-22 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-05-22 14:56 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-22 13:03 3,374 --a------ C:\WINDOWS\system32\tmp.reg

2007-05-22 00:07 75,512 --a------ C:\WINDOWS\zllsputility.exe

2007-05-22 00:07 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-05-22 00:07 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll

2007-05-22 00:07 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs

2007-05-21 20:07 <DIR> d-------- C:\!KillBox

2007-05-21 18:57 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\Lavasoft

2007-05-21 18:36 <DIR> d-------- C:\Documents and Settings\XXXXXX~1\DoctorWeb

2007-05-21 18:36 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\DoctorWeb

2007-05-21 17:41 <DIR> d-------- C:\VundoFix Backups

2007-05-21 00:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx

2007-05-21 00:03 77,312 --a------ C:\WINDOWS\ua2.dll

2007-05-20 21:46 19,456 --a------ C:\WINDOWS\system32\Partizan.exe

2007-05-20 21:34 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys

2007-05-20 21:34 (2) -rahs-ot- C:\WINDOWS\winstart.bat

2007-05-20 21:30 <DIR> d-------- C:\Program Files\Greatis

2007-05-20 13:39 <DIR> d-------- C:\Program Files\Common Files\àdobe

2007-05-19 16:02 <DIR> d-------- C:\Program Files\ISP.COM Internet Services

2007-05-17 18:53 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys

2007-05-16 19:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help

2007-05-16 19:23 10,223,616 --a------ C:\Documents and Settings\XXXXXX~1\ntuser.dat

2007-05-16 19:23 10,223,616 --a------ C:\DOCUME~1\XXXXXX~1\ntuser.dat

2007-05-13 21:15 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\Thunderbird

2007-05-13 12:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-04-20 20:12 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2007-04-20 20:11 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys

2007-04-14 17:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks

2007-04-11 18:14 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Juniper Networks

2007-04-11 18:03 <DIR> d-------- C:\Program Files\Neoteris

2007-04-11 17:55 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\Juniper Networks

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-30 22:35:40 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\Symantec

2007-05-30 22:33:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-05-30 00:05:54 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\SlipStream

2007-05-22 21:03:57 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-05-21 01:25:19 -------- d-----w C:\Program Files\Common Files\?dobe

2007-05-20 17:09:36 -------- d-----w C:\Program Files\Lx_cats

2007-05-16 23:31:14 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\FaxCtr

2007-05-16 23:31:07 -------- d-----w C:\Program Files\NCH Swift Sound

2007-05-13 15:47:01 1 ---ha-w C:\WINDOWS\system32\m3.dll

2007-05-08 00:56:08 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\VideoReDoPlus

2007-04-26 23:31:14 -------- d-----w C:\Program Files\Lexmark Fax Solutions

2007-04-01 20:15:24 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-04-01 10:37:42 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\Skype

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 00:20:48 87,608 ----a-w C:\DOCUME~1\XXXXXX~1\APPLIC~1\ezpinst.exe

2007-03-15 00:20:48 47,360 ----a-w C:\DOCUME~1\XXXXXX~1\APPLIC~1\pcouffin.sys

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]

{4115122B-85FF-4DD3-9515-F075BEDE5EB5}=C:\Program Files\ISP.COM High Speed\PBHelper.dll [2006-11-30 13:51]

{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2003-02-07 01:03]

{98DE779A-2364-4293-AB71-2B97C61C4640}=C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll [2003-08-29 09:37]

{AE7CD045-E861-484f-8273-0445EE161910}=D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 03:13]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 20:28]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 13:42]

"nwiz"="nwiz.exe" []

"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 05:36]

"Acrobat Assistant 7.0"="D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12]

"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 13:45]

"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 08:17]

"ZoneAlarm Client"="d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"Anti Trojan Elite"="D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe" []

"SlipStream"="C:\Program Files\ISP.COM High Speed\slipcore.exe" [2006-11-30 13:51]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-30 18:39]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"RunNarrator"=Narrator.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{24A42960-A7F8-11CF-8121-0020AFB5213D}"="d:\PROGRA~1\MKSTOO~1\XVision\SYSTEM\zonehook.dll" [1999-01-13 20:39]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="D:\ProgramFiles\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]

path=c:\Documents and Settings\All Users\Start Menu\Programs\Quicken\Billminder.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]

backup=C:\WINDOWS\pss\palstart.exeCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vision Services.lnk]

backup=C:\WINDOWS\pss\Vision Services.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm.lnk]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

C:\Program Files\dvd43\dvd43_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NuTCSetupEnviron]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"LmHosts"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

 

*Newly Created Service* - AVG7ALRT

*Newly Created Service* - AVG7CORE

*Newly Created Service* - AVG7RSW

*Newly Created Service* - AVG7RSXP

*Newly Created Service* - AVG7UPDSVC

*Newly Created Service* - AVGCLEAN

*Newly Created Service* - AVGEMS

*Newly Created Service* - AVGTDI

 

********************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-30 19:07:25

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = ????????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-30 19:08:03

C:\ComboFix-quarantined-files.txt ... 2007-05-30 19:07

C:\ComboFix2.txt ... 2007-05-22 19:14

 

And HijackThis...

Scan saved at 7:22:54 PM, on 5/30/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\VM_STI.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\ISP.COM High Speed\slipcore.exe

C:\Program Files\ISP.COM High Speed\slipgui.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Xxxxx Xxxxx\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy1:8081/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll

O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll

O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O15 - Trusted Zone: www.bankofamerica.com

O15 - Trusted Zone: www.bullionvault.com

O15 - Trusted Zone: www.bulltrade.com

O15 - Trusted Zone: www.continental.com

O15 - Trusted Zone: *.continental.com

O15 - Trusted Zone: *.ericsson.net

O15 - Trusted Zone: *.esquotes.com

O15 - Trusted Zone: www.etrade.com

O15 - Trusted Zone: www.everbank.com

O15 - Trusted Zone: *.faa.gov

O15 - Trusted Zone: *.hotmail.com

O15 - Trusted Zone: *.investing-systems.com

O15 - Trusted Zone: *.irs.gov

O15 - Trusted Zone: http://www.isp.com

O15 - Trusted Zone: *.isp.com

O15 - Trusted Zone: virusscan.jotti.org

O15 - Trusted Zone: *.latindiscounters.com

O15 - Trusted Zone: *.lexmark.com

O15 - Trusted Zone: http://by122w.bay122.mail.live.com

O15 - Trusted Zone: http://onecare.live.com

O15 - Trusted Zone: *.motorola.com

O15 - Trusted Zone: www.hotmail.msn.com

O15 - Trusted Zone: *.netfaqs.com

O15 - Trusted Zone: *.northwesternmutual.com

O15 - Trusted Zone: http://*.stockcharts.com

O15 - Trusted Zone: *.stocksignalpro.com

O15 - Trusted Zone: *.symantec.com

O15 - Trusted Zone: www.t-mobile.com

O15 - Trusted Zone: *.t-mobile.com

O15 - Trusted Zone: www.techguy.org

O15 - Trusted Zone: *.thestreet.com

O15 - Trusted Zone: *.treasurydirect.gov

O15 - Trusted Zone: *.virustotal.com

O15 - Trusted Zone: www.etrade.wallst.com

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.ericsson.net/dana-cached/set...perSetupSP1.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

Just to let you know, The PC can connect to the ISP, but the web browser can't bring up a home page or cannot be used to surf the internet. I do see activity still over the internet from the infection.

Share this post


Link to post
Share on other sites

Welcome back

 

 

You have homework to do here.

 

Print out or save to notepad these instructions, safe mode will be used and you'll have no connection to this page for viewing.

 

 

Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

 

ClickSpring

Cowabanga by OIN

ipwindows / ipwins

MediaTickets

MediaTickets by OIN

OIN

Outer Info Network

PurityScan

PurityScan by OIN

Snowball Wars by OIN

TizzleTalk

TizzleTalk by OIN

Yazzle by OIN

Yazzle ActiveX by OIN

Yazzle Cowabanga by OIN

Yazzle Kobe :filtered:! By OIN

Yazzle Picster by OIN

Yazzle Snowball Wars by OIN

Yazzle Sudoku by OIN

Zolero Translator

(Anything else with the word "OIN" or "Outer Info Network" or "Yazzle" in them)

If not listed, download and run this uninstaller:

http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

http://www.outerinfo.com/howto.html

 

I also see Paltalk is installed here. I do not recommend Paltalk since it has a questionable reputation, so I suggest you uninstall it.

A better/safer alternative is Skype

 

 

Using windows explorer search for and if found, delete these files/folders in bold

C:\Program Files\PurityScan <-folder

D:\Temp\Tools04-CD1\DVDTools

C:\WINDOWS\Temp\win1B0.tmp.exe

C:\WINDOWS\system32\tmp.reg

C:\VundoFix Backups

 

Reboot, let me know if some of these files and folders would not delete.

 

 

Open HJT and click scan only, place a check by these entries

 

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O15 - Trusted Zone: www.bankofamerica.com

O15 - Trusted Zone: www.bullionvault.com

O15 - Trusted Zone: www.bulltrade.com

O15 - Trusted Zone: www.continental.com

O15 - Trusted Zone: *.continental.com

O15 - Trusted Zone: *.ericsson.net

O15 - Trusted Zone: *.esquotes.com

O15 - Trusted Zone: www.etrade.com

O15 - Trusted Zone: www.everbank.com

O15 - Trusted Zone: *.faa.gov

O15 - Trusted Zone: *.hotmail.com

O15 - Trusted Zone: *.investing-systems.com

O15 - Trusted Zone: *.irs.gov

O15 - Trusted Zone: http://www.isp.com

O15 - Trusted Zone: *.isp.com

O15 - Trusted Zone: virusscan.jotti.org

O15 - Trusted Zone: *.latindiscounters.com

O15 - Trusted Zone: *.lexmark.com

O15 - Trusted Zone: http://by122w.bay122.mail.live.com

O15 - Trusted Zone: http://onecare.live.com

O15 - Trusted Zone: *.motorola.com

O15 - Trusted Zone: www.hotmail.msn.com

O15 - Trusted Zone: *.netfaqs.com

O15 - Trusted Zone: *.northwesternmutual.com

O15 - Trusted Zone: http://*.stockcharts.com

O15 - Trusted Zone: *.stocksignalpro.com

O15 - Trusted Zone: *.symantec.com

O15 - Trusted Zone: www.t-mobile.com

O15 - Trusted Zone: *.t-mobile.com

O15 - Trusted Zone: www.techguy.org

O15 - Trusted Zone: *.thestreet.com

O15 - Trusted Zone: *.treasurydirect.gov

O15 - Trusted Zone: *.virustotal.com

O15 - Trusted Zone: www.etrade.wallst.com

 

Close all windows and browsers except HJT and click fix checked

 

 

Please download VundoFix.exe

to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above

instructions starting from "Click the Scan for Vundo button." when

VundoFix appears at reboot.

 

 

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

 

Sometimes a bad DNS entry is cached

To get rid of it, go to Start > Run, and in the Open area type in: cmd

 

At the command prompt, copy/paste the following:

 

ipconfig /flushdns

 

Type: Exit to go out of the command prompt.

 

 

 

Now lets check some settings on your system.

Enter your Control Panel and double-click on Network Connections

Then right click on your Default Connection

Usually Local Area Connection for Cable and DSL

Left click on Properties

Double-Click on the Internet Protocol (TCP/IP) item

Select the radio dial that says Obtain DNS Servers Automatically

Press OK twice to get out of the properties screen and reboot if it asks.

 

 

Please download ATF Cleaner by Atribune and save it to your desktop.

 

 

 

 

Download AVG Anti-Spyware 7.5 from Here

And save that file to your desktop.

[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.

[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.

[*]On the main screen select the icon "Update then select the"Update Now" link.

  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.

*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"

*Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

 

 

Please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.

5) Login with your usual account. Make sure to close any open browsers.

 

 

 

Double-click ATF-Cleaner.exe to run the program.

  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

 

 

Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

 

 

In your reply please post

C:\vundofix.txt

SDFix Report.txt

AVG Anti-Spyware log

New HJT log

Comments on internet connection and browsing

Share this post


Link to post
Share on other sites

Didn't find anything in Add/Remove programs from the list you gave me.

 

I couldn't find that PalTalk was installed. I had deinstalled that months ago.

 

I could not update avg or avg spyware because I cannot get an internet connection. My ISP connects, but the web browser comes up with a failed connection. I played with my windows firewall to try to get it going and i get

 

"Windows cannot start the windows firewall, internet connection sharing server (ICS)" ...something to that effect.

 

 

So I effectively have not intenet connection...logs follow..

 

I tried a scan using vundo fix a while ago...and it did find some files...

 

I did notice, that even though I don't have internet access...there is absolutely no activity from the trojan. I see no network activity at all....dead

 

VundoFix V6.3.23

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 5:41:08 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 7:25:06 PM 5/21/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\strbruir.dll

C:\WINDOWS\system32\tuvvtqq.dll

C:\WINDOWS\system32\tuvvvtu.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\tuvvvtu.dll

C:\WINDOWS\system32\tuvvvtu.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 8:20:31 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 10:40:59 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 12:42:13 PM 5/22/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 10:43:00 PM 5/22/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 6:24:38 PM 5/25/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 6:08:52 PM 5/31/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

 

==========

SDFIX

==========

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files:

---------------

 

 

Checking For Files with Hidden Attributes:

 

C:\Documents and Settings\Xxxx Xxxxx\NetHood\isp.com\Desktop.ini

C:\Documents and Settings\Xxxx Xxxxx\NetHood\users.isp.com\Desktop.ini

C:\WINDOWS\system32\m3.dll

C:\WINDOWS\system32\KGyGaAvL.sys

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f352a821695fbd87c50ccc2b4807dbe\BIT3E.tmp

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT1E.tmp

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bb5c3edd4ebcf72602f3f9ef3df7c5ca\BIT16.tmp

C:\WINDOWS\system32\config\default.tmp.LOG

C:\WINDOWS\system32\config\SAM.tmp.LOG

C:\WINDOWS\system32\config\SECURITY.tmp.LOG

C:\WINDOWS\system32\config\software.tmp.LOG

C:\WINDOWS\system32\config\system.tmp.LOG

 

Finished

 

 

=========

HijackThis

=========

Logfile of HijackThis v1.99.1

Scan saved at 6:51:29 PM, on 5/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Xxxx Xxxxx\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll

O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll

O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.ericsson.net/dana-cached/set...perSetupSP1.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Didn't find anything in Add/Remove programs from the list you gave me.

 

I couldn't find that PalTalk was installed. I had deinstalled that months ago.

 

I could not update avg or avg spyware because I cannot get an internet connection. My ISP connects, but the web browser comes up with a failed connection. I played with my windows firewall to try to get it going and i get

 

"Windows cannot start the windows firewall, internet connection sharing server (ICS)" ...something to that effect.

So I effectively have not intenet connection...logs follow..

 

I tried a scan using vundo fix a while ago...and it did find some files...

 

I did notice, that even though I don't have internet access...there is absolutely no activity from the trojan. I see no network activity at all....dead

 

VundoFix V6.3.23

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 5:41:08 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 7:25:06 PM 5/21/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\strbruir.dll

C:\WINDOWS\system32\tuvvtqq.dll

C:\WINDOWS\system32\tuvvvtu.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\tuvvvtu.dll

C:\WINDOWS\system32\tuvvvtu.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 8:20:31 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 10:40:59 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 12:42:13 PM 5/22/2007

 

Listing files found while scanning....

 

No infected files were found.

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 10:43:00 PM 5/22/2007

 

Listing files found while scanning....

 

No infected files were found.

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 6:24:38 PM 5/25/2007

 

Listing files found while scanning....

 

No infected files were found.

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 6:08:52 PM 5/31/2007

 

Listing files found while scanning....

 

No infected files were found.

==========

SDFIX

==========

Rebooting...

Normal Mode:

Checking Files:

 

No Trojan Files Found

Removing Temp Files...

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

Final Check:

 

Remaining Services:

------------------

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files:

---------------

Checking For Files with Hidden Attributes:

 

C:\Documents and Settings\Xxxx Xxxxx\NetHood\isp.com\Desktop.ini

C:\Documents and Settings\Xxxx Xxxxx\NetHood\users.isp.com\Desktop.ini

C:\WINDOWS\system32\m3.dll

C:\WINDOWS\system32\KGyGaAvL.sys

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f352a821695fbd87c50ccc2b4807dbe\BIT3E.tmp

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT1E.tmp

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bb5c3edd4ebcf72602f3f9ef3df7c5ca\BIT16.tmp

C:\WINDOWS\system32\config\default.tmp.LOG

C:\WINDOWS\system32\config\SAM.tmp.LOG

C:\WINDOWS\system32\config\SECURITY.tmp.LOG

C:\WINDOWS\system32\config\software.tmp.LOG

C:\WINDOWS\system32\config\system.tmp.LOG

 

Finished

=========

HijackThis

=========

Logfile of HijackThis v1.99.1

Scan saved at 6:51:29 PM, on 5/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Xxxx Xxxxx\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll

O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll

O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.ericsson.net/dana-cached/set...perSetupSP1.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Share this post


Link to post
Share on other sites

Sorry,

I forgot to add the AVG anti-spywre log. It did not find anything. I am currently travelling and missed it from the group of log files I grabbed from the pc.

Share this post


Link to post
Share on other sites

Welcome back

You have homework to do here.

 

Print out or save to notepad these instructions, safe mode will be used and you'll have no connection to this page for viewing.

Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

 

ClickSpring

Cowabanga by OIN

ipwindows / ipwins

MediaTickets

MediaTickets by OIN

OIN

Outer Info Network

PurityScan

PurityScan by OIN

Snowball Wars by OIN

TizzleTalk

TizzleTalk by OIN

Yazzle by OIN

Yazzle ActiveX by OIN

Yazzle Cowabanga by OIN

Yazzle Kobe :filtered:! By OIN

Yazzle Picster by OIN

Yazzle Snowball Wars by OIN

Yazzle Sudoku by OIN

Zolero Translator

(Anything else with the word "OIN" or "Outer Info Network" or "Yazzle" in them)

If not listed, download and run this uninstaller:

http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

http://www.outerinfo.com/howto.html

 

I also see Paltalk is installed here. I do not recommend Paltalk since it has a questionable reputation, so I suggest you uninstall it.

A better/safer alternative is Skype

Using windows explorer search for and if found, delete these files/folders in bold

C:\Program Files\PurityScan <-folder

D:\Temp\Tools04-CD1\DVDTools

C:\WINDOWS\Temp\win1B0.tmp.exe

C:\WINDOWS\system32\tmp.reg

C:\VundoFix Backups

 

Reboot, let me know if some of these files and folders would not delete.

Open HJT and click scan only, place a check by these entries

 

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O15 - Trusted Zone: www.bankofamerica.com

O15 - Trusted Zone: www.bullionvault.com

O15 - Trusted Zone: www.bulltrade.com

O15 - Trusted Zone: www.continental.com

O15 - Trusted Zone: *.continental.com

O15 - Trusted Zone: *.ericsson.net

O15 - Trusted Zone: *.esquotes.com

O15 - Trusted Zone: www.etrade.com

O15 - Trusted Zone: www.everbank.com

O15 - Trusted Zone: *.faa.gov

O15 - Trusted Zone: *.hotmail.com

O15 - Trusted Zone: *.investing-systems.com

O15 - Trusted Zone: *.irs.gov

O15 - Trusted Zone: http://www.isp.com

O15 - Trusted Zone: *.isp.com

O15 - Trusted Zone: virusscan.jotti.org

O15 - Trusted Zone: *.latindiscounters.com

O15 - Trusted Zone: *.lexmark.com

O15 - Trusted Zone: http://by122w.bay122.mail.live.com

O15 - Trusted Zone: http://onecare.live.com

O15 - Trusted Zone: *.motorola.com

O15 - Trusted Zone: www.hotmail.msn.com

O15 - Trusted Zone: *.netfaqs.com

O15 - Trusted Zone: *.northwesternmutual.com

O15 - Trusted Zone: http://*.stockcharts.com

O15 - Trusted Zone: *.stocksignalpro.com

O15 - Trusted Zone: *.symantec.com

O15 - Trusted Zone: www.t-mobile.com

O15 - Trusted Zone: *.t-mobile.com

O15 - Trusted Zone: www.techguy.org

O15 - Trusted Zone: *.thestreet.com

O15 - Trusted Zone: *.treasurydirect.gov

O15 - Trusted Zone: *.virustotal.com

O15 - Trusted Zone: www.etrade.wallst.com

 

Close all windows and browsers except HJT and click fix checked

Please download VundoFix.exe

to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above

instructions starting from "Click the Scan for Vundo button." when

VundoFix appears at reboot.

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Sometimes a bad DNS entry is cached

To get rid of it, go to Start > Run, and in the Open area type in: cmd

 

At the command prompt, copy/paste the following:

 

ipconfig /flushdns

 

Type: Exit to go out of the command prompt.

Now lets check some settings on your system.

Enter your Control Panel and double-click on Network Connections

Then right click on your Default Connection

Usually Local Area Connection for Cable and DSL

Left click on Properties

Double-Click on the Internet Protocol (TCP/IP) item

Select the radio dial that says Obtain DNS Servers Automatically

Press OK twice to get out of the properties screen and reboot if it asks.

Please download ATF Cleaner by Atribune and save it to your desktop.

Download AVG Anti-Spyware 7.5 from Here

And save that file to your desktop.

[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.

[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.

[*]On the main screen select the icon "Update then select the"Update Now" link.

  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.

*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"

*Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

Please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.

5) Login with your usual account. Make sure to close any open browsers.

Double-click ATF-Cleaner.exe to run the program.

  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

In your reply please post

C:\vundofix.txt

SDFix Report.txt

AVG Anti-Spyware log

New HJT log

Comments on internet connection and browsing

 

Share this post


Link to post
Share on other sites

Having trouble replying...I've entered a reply..then it doesn't show up on the forum when I close...

 

anyway..

 

try again..

 

None of the programs from the Add/Remove software section existed.

 

I could not find the PalTalk install. It was removed months ago.

 

I cannot get an internet connection. I can connect to the ISP. One thing I noticed that was different after these scans is that there is absolutely no network activity from the trojan anymore...its dead.

 

I am travelling, so I missed getting the AVG anti-spyware log. It did not find anything. I grabbed the log files as I was leaving and missed this one. I could not update virus scan or anti-spyware due to no internet connection.

 

The windows firewall isn't working anymore. I get a question about asking to turn it on and when I do I get

"Windows cannot start the windows firewall internet connection sharing service (ICS)"

 

log files follow....you'll notice I've run vundo fix before...and it did find something

 

 

VundoFix V6.3.23

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 5:41:08 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 7:25:06 PM 5/21/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\strbruir.dll

C:\WINDOWS\system32\tuvvtqq.dll

C:\WINDOWS\system32\tuvvvtu.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\tuvvvtu.dll

C:\WINDOWS\system32\tuvvvtu.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.4.1

 

Checking Java version...

 

Java version is 1.5.0.4

Old versions of java are exploitable and should be removed.

 

Scan started at 8:20:31 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 10:40:59 PM 5/21/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 12:42:13 PM 5/22/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 10:43:00 PM 5/22/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 6:24:38 PM 5/25/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

VundoFix V6.4.1

 

Checking Java version...

 

Sun Java not detected

Scan started at 6:08:52 PM 5/31/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

=================

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files:

---------------

 

 

Checking For Files with Hidden Attributes:

 

C:\Documents and Settings\Xxxx Xxxxx\NetHood\isp.com\Desktop.ini

C:\Documents and Settings\Xxxx Xxxxx\NetHood\users.isp.com\Desktop.ini

C:\WINDOWS\system32\m3.dll

C:\WINDOWS\system32\KGyGaAvL.sys

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f352a821695fbd87c50ccc2b4807dbe\BIT3E.tmp

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT1E.tmp

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bb5c3edd4ebcf72602f3f9ef3df7c5ca\BIT16.tmp

C:\WINDOWS\system32\config\default.tmp.LOG

C:\WINDOWS\system32\config\SAM.tmp.LOG

C:\WINDOWS\system32\config\SECURITY.tmp.LOG

C:\WINDOWS\system32\config\software.tmp.LOG

C:\WINDOWS\system32\config\system.tmp.LOG

 

Finished

 

===========

Logfile of HijackThis v1.99.1

Scan saved at 6:51:29 PM, on 5/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Xxxx Xxxxx\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll

O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll

O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.ericsson.net/dana-cached/set...perSetupSP1.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Welcome back

 

Sorry for all the issues your having......

 

Your HJT log is clean.

 

 

absolutely no network activity from the trojan anymore...its dead

Thank goodness!

 

 

Two files that I didn't see VundoFix saying was deleted we need to search for

 

Use windows explorer and delete these if found

 

C:\WINDOWS\system32\strbruir.dll

C:\WINDOWS\system32\tuvvtqq.dll

 

 

I'm trying to find help for your Internet Connection

 

Start => Run => Type netsh winsock reset then click ok. Restart your computer then check windows firewall again

 

 

You cannot start the Windows Firewall service in Windows XP

No connection to the Internet is currently available

 

 

go to start

run

type in

sfc /scannow

Note the space between c /

Note you may be asked for your Windows XP CD if errors are found.

 

 

Double-click My Computer, and then right-click the hard disk that you want to check

Click Properties, and then click Tools.

Under Error-checking, click Check Now.

A dialog box that shows the Check disk options is displayed

Check both boxes

 

If one or more of the files on the hard disk are open, you will receive the following message:

The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?

Click Yes to schedule the disk check, and then restart your computer to start the disk check.

Be patient this can take up to an hour

 

 

Let's check Device manager

 

Click the Start button and click Control Panel.

Click Performance and Maintenance and click System.

Click the Hardware tab and click Device Manager.

In the Device Manager list, check for devices that are incorrectly configured.

Incorrectly configured devices are indicated by a yellow exclamation point (!) or a red X if the device has been disabled.

Double-click any device marked with an exclamation point to display the Properties window.

The Device status area in the Properties window reports the devices that need to be re-configured.

 

 

Also we need to check event viewer

When in event viewer there are three log areas that record data

 

Application log

Security log

System log

 

In the left pane click on Application and the window to the right will show recorded logs

If an issue was recorded it will have a Red X by that entry

Right click on that entry , then properties, this should give an explaination to the event and hopefully Microsoft has a support link located at the bottom.

 

 

How to Repair or Return to Previous Internet Explorer Installation

 

1. Bring up windows task manager (cntrl-alt-delete)

2. Select Processes tab

3. Locate explorer.exe & select End Process

4. Select Applications tab

5. Select New Task

6. Type 'explorer' in create new task box & select ok.

 

When you end the explorer.exe process your task bar will likely disappear. Once you create the New Task your task bar should be back with all missing icons.

 

Right click the task bar and then select properties> click the Task bar then> Uncheck the Hide Inactive Icons button.

When you right click the task bar one option is to lock the taskbar do you have that checked?

 

 

Disable Universal Plug and Play

 

Disable the SSDP Discovery Service and the Universal Plug and Play Device Host. To do this, open Administrative Tools in Control Panel, and then open Services. Select "SSDP Discovery Service", right-click it and select Properties. Change the startup type to "Disabled" and then click OK. Repeat this for the "Universal Plug and Play Device Host."

Disabling Universal Plug and Play still may not work. However, people have found that the problem was solved by changing the startup options for the two services to "Automatic", instead of disabling them.

 

 

Got to your Control panel

Open Internet Options

On the Tools menu, click Internet Options

Click the General tab.

In the Address box, type the Web page address that you want for your home page.

Click Apply/OK

 

Post back and let me know if normal mode is working correct.

Edited by Juliet

Share this post


Link to post
Share on other sites

Hi Juliet,

After following the instructions, I still can't get internet access. I can connect to my ISP, but when I bring

up a web browser, It can't get to the home page, or anywhere else that i type.

 

I cut the following from the services logs from the event viewer.....looks like there may be some missing files.

 

These errors occur in the event viewer at every boot up interval since the day I got the trojan. It appears, the trojan was caught by downloading a codec so that videos could be managed using an mp4 player. The codec seems to work fine, but the install appears to have had some "unfriendlies". The files

strbruir.dll and tuvvtqq.dll were deleted from a previous run of vundofix. Unfortunately, I don't have that

log.

 

The firewall service will not start on XP.

 

I'm at a loss on how to get the internet connection running. Because of it, I haven't been able to download updates to the spyware/anti-virus scanner.

 

Under system, there is a new hardware adapter I've never seen before, and it does not initialize correctly, has a big red "X" through it.... "Microsoft Tun Miniport Adaptor". I've tried to uninstall it but I get an error that the system needs it in order to reboot. It looks strange.

 

I did go to http://go.microsoft.com/fwlink/events.asp to see if I could figure out what was going on. This is the link pointed to by the event viewer. Appears to be too many options. Any ideas on getting the internet connected would be appreciated. At this point I'm starting to consider re-installing the operating system. Uggh... I'm not going to say "uncle" until you think its a good idea.

 

The system does seem to be running very smoothly except for the internet connection though.

 

regards,

 

 

 

===============================

 

 

The Bluetooth LAN Access Server service failed to start due to the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

=================================

The Microsoft TV/Video Connection service failed to start due to the following error:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.====

==================================

The Microsoft TV/Video Connection service failed to start due to the following error:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

====================================

The Microsoft TV/Video Connection service failed to start due to the following error:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

===================================

The 3Com BCAITDI DMI TDI service failed to start due to the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

======================================

The DS1410D service failed to start due to the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

======================================

The 3Com DMI Agent service failed to start due to the following error:

The system cannot find the path specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

========================================

The HID Input Service service terminated with the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

=======================================

Share this post


Link to post
Share on other sites

Welcome back

 

I've tried to research these error messages and I feel they point to driver issues.

From this point I have to recommend you create a thread in our User to User forum where expert members can assist you better then I can.

 

http://forums.pcpitstop.com/index.php?showforum=3

 

 

If you could copy and paste the last post of information with the list of events found in Event Viewer I feel it would be helpful.

 

Wish I could had been more assistance for you.

Share this post


Link to post
Share on other sites

Hi Juliet,

I managed to get the internet working by downloading WinSockXpFix. I then ran the command you

told me to run before

netsh winsock reset.

 

My interenet worked and I downloaded AVG updates. AVG Spyware then caught two trojan entries

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 4:07:01 PM 6/3/2007

 

+ Scan result:

 

 

 

D:\System Volume Information\_restore{29847550-B1E3-4C54-B1FB-B696512E5488}\RP8\A0002523.exe -> Trojan.Small : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{29847550-B1E3-4C54-B1FB-B696512E5488}\RP8\A0002524.exe -> Trojan.Small : Cleaned with backup (quarantined).

 

 

::Report end

 

 

My Event Log is here...

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7022

Date: 6/3/2007

Time: 4:11:03 PM

User: N/A

Computer: -DESKTOP

Description:

The IPv6 Helper Service service hung on starting.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7023

Date: 6/3/2007

Time: 4:09:39 PM

User: N/A

Computer: -DESKTOP

Description:

The HID Input Service service terminated with the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

 

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7000

Date: 6/3/2007

Time: 4:09:39 PM

User: N/A

Computer: -DESKTOP

Description:

The 3Com DMI Agent service failed to start due to the following error:

The system cannot find the path specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7000

Date: 6/3/2007

Time: 4:09:39 PM

User: N/A

Computer: -DESKTOP

Description:

The DS1410D service failed to start due to the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7000

Date: 6/3/2007

Time: 4:09:39 PM

User: N/A

Computer: -DESKTOP

Description:

The 3Com BCAITDI DMI TDI service failed to start due to the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7000

Date: 6/3/2007

Time: 4:09:39 PM

User: N/A

Computer: -DESKTOP

Description:

The VPN-1 SecureClient Adapter service failed to start due to the following error:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7000

Date: 6/3/2007

Time: 4:09:39 PM

User: N/A

Computer: -DESKTOP

Description:

The Microsoft TV/Video Connection service failed to start due to the following error:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7000

Date: 6/3/2007

Time: 4:09:39 PM

User: N/A

Computer: -DESKTOP

Description:

The Bluetooth LAN Access Server service failed to start due to the following error:

The system cannot find the file specified.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

==========================

I want to post an image of the Networking tab of my task manager. The internet activity is back. When my pc is idle, there is about 50% of the link bandwidth being used for who knows what. I can't figure out how to attach the image file (.bmp)

 

I don't understand what this activity is that I'm seeing, but I'm using the infected desktop to talk with you now. That's major progress I think.

 

If you want me to, I can still go over to the driver forum, but wanted to see if you had any other ideas I could try to identify this activity I'm seeing. I at least wanted you to see the .bmp image of my task manager.

 

Another behaviour that reocurred is that at boot up, there is a 2 or 3 minute pause with the XP back ground before the icons appear.

 

maybe I can mail you the .bmp image?

Share this post


Link to post
Share on other sites

Welcome back

Thats good news!...wheww! that was hard work eh?

 

I still want to check for something lurking around in the background first.

 

The errors from event viewer still point to driver issues, after these last scans, if all is clear, then I need you to go to the User to User forum for that.

 

 

 

Download the trial version of Spy Sweeper from

Here

 

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

 

You will be prompted to check for updated definitions, please do so.

(This may take several minutes)

 

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

 

 

Download and Save blacklight to your desktop.

F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml

Double-click blbeta.exe then accept the agreement.

click > scan then > next,

You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there...

There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

Post the contents of the log in your next reply.

 

 

In your next post I need:

SpySweeper log

fsbl log from F-Secure

New HJT log

Comments on computer performance

Edited by Juliet

Share this post


Link to post
Share on other sites

Hmm...after all the scanning...the other tools can't find the trojans....

Spy sweeper picked up 3

 

Black light didn't pick up anything...

 

7:05 PM: Traces Found: 3

7:05 PM: Full Sweep has completed. Elapsed time 00:20:42

7:05 PM: File Sweep Complete, Elapsed Time: 00:17:59

7:05 PM: Warning: TCompressedFile.GetStreams(1): Stream read error

7:05 PM: Warning: TCompressedFile.GetStreams(1): Stream read error

7:05 PM: Warning: TCompressedFile.GetStreams(1): Stream read error

6:59 PM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.

6:59 PM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.

6:59 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.

6:53 PM: Warning: Failed to open file "c:\documents and settings\xxxx xxxxx\application data\slipstream\ieproxy.bak". The operation completed successfully

6:47 PM: Starting File Sweep

6:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00

6:47 PM: Starting Cookie Sweep

6:47 PM: Registry Sweep Complete, Elapsed Time:00:00:15

6:47 PM: HKU\S-1-5-21-3301898836-429115175-1203367206-1006\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\outerinfo\ (ID = 2062989)

6:47 PM: Found Adware: purityscan

6:47 PM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)

6:47 PM: Found Adware: virtumonde

6:47 PM: HKLM\software\microsoft\windows\currentversion\urls\ (ID = 605127)

6:47 PM: Found Trojan Horse: trojan-downloader-ruin

6:47 PM: Starting Registry Sweep

6:47 PM: Memory Sweep Complete, Elapsed Time: 00:02:25

6:44 PM: Starting Memory Sweep

6:44 PM: Start Full Sweep

6:44 PM: Sweep initiated using definitions version 923

6:43 PM: Your spyware definitions have been updated.

6:28 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.

6:27 PM: Messenger service has been disabled.

Keylogger: Off

BHO Shield: On

IE Security Shield: On

Alternate Data Stream (ADS) Execution Shield: On

Startup Shield: On

Common Ad Sites: Off

Hosts File Shield: On

Internet Communication Shield: On

ActiveX Shield: On

Windows Messenger Service Shield: On

IE Favorites Shield: On

Spy Installation Shield: On

Memory Shield: Off

IE Hijack Shield: On

IE Tracking Cookies Shield: Off

6:27 PM: Shield States

6:27 PM: Spyware Definitions: 866

6:27 PM: Spy Sweeper 5.3.2.2361 started

6:27 PM: Spy Sweeper 5.3.2.2361 started

6:27 PM: | Start of Session, Monday, June 04, 2007 |

***************

 

 

HIJACKTHIS

Logfile of HijackThis v1.99.1

Scan saved at 7:26:56 PM, on 6/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

d:\ProgramFiles\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\ISP.COM High Speed\slipcore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ISP.COM High Speed\slipgui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\xxxx xxxxx\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll

O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll

O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll

O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"

O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/327

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/328

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O15 - Trusted Zone: http://forums.pcpitstop.com

O15 - Trusted Zone: http://www.thestreet.com

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.ericsson.net/dana-cached/set...perSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E22BE2EE-E9C3-45C1-8359-5246381A93E1}: NameServer = 209.210.176.8 209.210.176.9

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\ProgramFiles\Webroot\Spy Sweeper\SpySweeper.exe

 

Uggh...can't seem to get these bad guys off the desktop...

Share this post


Link to post
Share on other sites

Juliet,

since the spysweeper scan, ...there hasn't been any internet activity from the trojan. But spysweeper, said that it wouldn't quarantine without a subscription.

 

I've been watching it for some time now...

Share this post


Link to post
Share on other sites

Uggh...can't seem to get these bad guys off the desktop...

Tell me what is on desktop?

 

Delete the version of ComboFix you have now, and the folder C:\qoobox

 

 

 

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

 

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

 

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

 

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

 

 

 

Download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

 

 

download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop

right click the file and select install, that will reset the zone settings that have been altered

 

and also

 

* Download: ResetProtocolDefaults.reg

http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

 

Locate "ResetProtocolDefaults.reg"

Right-click and select: Merge (Ok the prompt)

 

 

Post the logs from

FixWareOut

New ComboFix log

New HJT log

And I hope good comments about the computer.

Share this post


Link to post
Share on other sites

My ...The browser hasn't run this fast in a months...web page transitions are IMMEDIATE.

 

The only pause is at boot up..but I think that is due to driver corruption. The system has trouble starting drivers due to missing/corrupted files..

 

I can't believe it.. Surfing on this machine has had its response restricted for months now...

 

There isn't any trojan activity.

 

Are you married?...

 

Here are my logs

 

 

Fixwareout Last edited 5/15/2007

Post this report in the forums please

...

»»»»»Prerun check

 

»»»»»

 

»»»»» Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

....

»»»»» Misc files.

....

»»»»» Checking for older varients.

....

 

Search five digit cs, dm, kd, jb, other, files.

The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

 

 

Click browse, find the file then click submit.

http://www.virustotal.com/flash/index_en.html

Or http://virusscan.jotti.org/

 

»»»»» Other

 

»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe\""

"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"

"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"

"Acrobat Assistant 7.0"="\"D:\\ProgramFiles\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""

"lxcemon.exe"="\"C:\\Program Files\\Lexmark 4300 Series\\lxcemon.exe\""

"EzPrint"="\"C:\\Program Files\\Lexmark 4300 Series\\ezprint.exe\""

"ZoneAlarm Client"="\"d:\\ProgramFiles\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"Anti Trojan Elite"="D:\\ProgramFiles\\Anti Trojan Elite\\TJEnder.exe :NO"

"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"SlipStream"="\"C:\\Program Files\\ISP.COM High Speed\\slipcore.exe\""

"LXCECATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCEtime.dll,_RunDLLEntry@16"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

 

 

 

 

"xxxx xxxxx" - 2007-06-04 20:43:42 Service Pack 2 NTFS

ComboFix 07-06-3 - Running from: "C:\Documents and Settings\xxxx xxxxx\Desktop\"

 

 

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

 

 

2007-06-04 20:39 7,561 --a------ C:\dnsbak.reg

2007-06-04 18:23 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

2007-06-04 18:23 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2007-06-04 18:23 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys

2007-06-04 18:23 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys

2007-06-04 18:23 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot

2007-06-04 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot

2007-06-04 18:21 <DIR> d-------- C:\DOCUME~1\xxxxBY~1\APPLIC~1\Webroot

2007-06-03 17:11 <DIR> d-------- C:\DOCUME~1\xxxxBY~1\APPLIC~1\AdobeUM

2007-06-03 01:14 <DIR> d-------- C:\VundoFix Backups

2007-06-02 14:50 <DIR> d-------- C:\Program Files\ISP.COM Internet Services

2007-05-31 18:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-05-30 18:05 <DIR> d-------- C:\ScanUtils5_22

2007-05-29 20:07 86,016 --a------ C:\WINDOWS\system32\sliprt.dll

2007-05-29 20:07 <DIR> d-------- C:\Program Files\ISP.COM High Speed

2007-05-29 20:01 <DIR> d-------- C:\Program Files\LookInMyPC

2007-05-22 17:04 <DIR> d-------- C:\DOCUME~1\xxxxBY~1\APPLIC~1\SUPERAntiSpyware.com

2007-05-22 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-05-22 14:56 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-22 00:07 75,512 --a------ C:\WINDOWS\zllsputility.exe

2007-05-22 00:07 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-05-22 00:07 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll

2007-05-22 00:07 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs

2007-05-21 20:07 <DIR> d-------- C:\!KillBox

2007-05-21 18:57 <DIR> d-------- C:\DOCUME~1\xxxxBY~1\APPLIC~1\Lavasoft

2007-05-21 18:36 <DIR> d-------- C:\DOCUME~1\xxxxBY~1\DoctorWeb

2007-05-21 00:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx

2007-05-21 00:03 77,312 --a------ C:\WINDOWS\ua2.dll

2007-05-20 21:46 19,456 --a------ C:\WINDOWS\system32\Partizan.exe

2007-05-20 21:34 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys

2007-05-20 21:34 (2) -rahs-ot- C:\WINDOWS\winstart.bat

2007-05-20 21:30 <DIR> d-------- C:\Program Files\Greatis

2007-05-20 13:39 <DIR> d-------- C:\Program Files\Common Files\àdobe

2007-05-17 18:53 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys

2007-05-16 19:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help

2007-05-16 19:23 10,485,760 --a------ C:\DOCUME~1\xxxxBY~1\ntuser.dat

2007-05-13 21:15 <DIR> d-------- C:\DOCUME~1\xxxxBY~1\APPLIC~1\Thunderbird

2007-05-13 12:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-05 00:02:00 -------- d-----w C:\DOCUME~1\xxxxBY~1\APPLIC~1\SlipStream

2007-06-03 23:03:47 -------- d-----w C:\Program Files\Lx_cats

2007-05-30 22:35:40 -------- d-----w C:\DOCUME~1\xxxxBY~1\APPLIC~1\Symantec

2007-05-30 22:33:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-05-22 21:03:57 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-05-21 01:25:19 -------- d-----w C:\Program Files\Common Files\?dobe

2007-05-16 23:31:14 -------- d-----w C:\DOCUME~1\xxxxBY~1\APPLIC~1\FaxCtr

2007-05-16 23:31:07 -------- d-----w C:\Program Files\NCH Swift Sound

2007-05-13 15:47:01 1 ---ha-w C:\WINDOWS\system32\m3.dll

2007-05-08 00:56:08 -------- d-----w C:\DOCUME~1\xxxxBY~1\APPLIC~1\VideoReDoPlus

2007-04-26 23:31:14 -------- d-----w C:\Program Files\Lexmark Fax Solutions

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-11 22:03:56 -------- d-----w C:\DOCUME~1\xxxxBY~1\APPLIC~1\Juniper Networks

2007-04-11 22:03:19 -------- d-----w C:\Program Files\Neoteris

2007-04-01 20:15:24 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 00:20:48 87,608 ----a-w C:\DOCUME~1\xxxxBY~1\APPLIC~1\ezpinst.exe

2007-03-15 00:20:48 47,360 ----a-w C:\DOCUME~1\xxxxBY~1\APPLIC~1\pcouffin.sys

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]

{4115122B-85FF-4DD3-9515-F075BEDE5EB5}=C:\Program Files\ISP.COM High Speed\PBHelper.dll [2006-11-30 13:51]

{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2003-02-07 01:03]

{98DE779A-2364-4293-AB71-2B97C61C4640}=C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll [2003-08-29 09:37]

{AE7CD045-E861-484f-8273-0445EE161910}=D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 03:13]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 20:28]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 13:42]

"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 05:36]

"Acrobat Assistant 7.0"="D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12]

"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 13:45]

"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 08:17]

"ZoneAlarm Client"="d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"Anti Trojan Elite"="D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe" []

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-30 18:39]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]

"SlipStream"="C:\Program Files\ISP.COM High Speed\slipcore.exe" [2006-11-30 13:51]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"RunNarrator"=Narrator.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{24A42960-A7F8-11CF-8121-0020AFB5213D}"="d:\PROGRA~1\MKSTOO~1\XVision\SYSTEM\zonehook.dll" [1999-01-13 20:39]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="D:\ProgramFiles\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]

path=c:\Documents and Settings\All Users\Start Menu\Programs\Quicken\Billminder.lnk

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]

backup=C:\WINDOWS\pss\palstart.exeCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vision Services.lnk]

backup=C:\WINDOWS\pss\Vision Services.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm.lnk]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

C:\Program Files\dvd43\dvd43_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NuTCSetupEnviron]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"LmHosts"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-04 22:23:00 C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job

 

**************************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-04 20:44:52

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = ????????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-04 20:45:25

C:\ComboFix-quarantined-files.txt ... 2007-05-30 19:07

C:\ComboFix2.txt ... 2007-05-30 19:08

C:\ComboFix3.txt ... 2007-05-22 19:14

 

--- E O F ---

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:50:10 PM, on 6/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

d:\ProgramFiles\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\ISP.COM High Speed\slipcore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ISP.COM High Speed\slipgui.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\xxxx xxxxx\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll

O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll

O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll

O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/327

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/328

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O15 - Trusted Zone: http://forums.pcpitstop.com

O15 - Trusted Zone: http://www.thestreet.com

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.ericsson.net/dana-cached/set...perSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E22BE2EE-E9C3-45C1-8359-5246381A93E1}: NameServer = 209.210.176.8 209.210.176.9

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\ProgramFiles\Webroot\Spy Sweeper\SpySweeper.exe

Share this post


Link to post
Share on other sites

Welcome back

 

The only pause is at boot up..but I think that is due to driver corruption. The system has trouble starting drivers due to missing/corrupted files..

I think so to.

I can't believe it.. Surfing on this machine has had its response restricted for months now...

There isn't any trojan activity.

yeehawwww!

Are you married?

gulp!..no

 

Would ya jump up-n-down if I told you your clean and about done?

 

Open HJT and click scan only, place a check by these entires

 

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE

(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )

 

Close all windows and browsers except HJT and click fix checked

 

If you have trouble finding any of those files/folders, then configure Windows Explorer to show hidden files and folders and go after them again.(Remember to Hide files and folders once done).

 

To enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu

2) Click "Folder options"

3) Select the "View" tab

4) Make sure "Show hidden files and folders" is selected

5) Make sure "Hide extensions for known file types" is unchecked

6) Make sure "Hide protected operating system files (recommended)" is unchecked.

 

 

You can delete the tools I had you download earlier.

 

Using windows explorer search for and delete these files/folder in bold

C:\VundoFix Backups

C:\Program Files\Common Files\?dobe <--this file may look like an A or a-- created on 2007-05-21 01:25:19 Check Properties

 

 

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(Windows XP)

 

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK

 

 

For the issues with your driver, copy and paste those logs from event viewer and post in our User to User forum. Many expert members can assist you there.

 

If there are no more issues your good to go.

 

 

Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.

Tutorial

 

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.

Tutorial

 

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

Tutorial

Run on a regular basis

 

Install and Update Ad-Aware SE Personal

You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

Tutorial

Run on a regular basis

 

SUPERAntiSpyware

This is another excellent FREE scanner to look for nasties that might be lurking in your system.

SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well. Quick Guide: How to use!

 

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.

And to run them regularly as this can prevent a great deal of spyware hassle.

 

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.

Another valueable article to read Dealing with Unwanted Spyware and Parasites

 

Read through the information found here, to help you prevent any possible future infections.

How to prevent Malware' by miekiemoes:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

 

And if you want to improve speed/system performance after malware removal, take a look

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Share this post


Link to post
Share on other sites

Hi Juliet,

was just kidding....

 

OK..cleared system restore...

 

for grins, I ran spysweeper again...

I still get

 

Trojan Horse found: trojan-downloader-ruin

Adware found: virtumonde

Adware found: purityscan

 

But I don't see ANY activity like I did before.

I'm wondering if spysweeper is just displaying an

old log just to get me to purchase the thing.

Share this post


Link to post
Share on other sites

welcome back

was just kidding....

well burst my bubble!

for grins, I ran spysweeper again...But I don't see ANY activity like I did before.

I'm wondering if spysweeper is just displaying an old log just to get me to purchase the thing.

We ran the tools for what it said it found and it was clean so to me it means it picked up on orphaned entries..

You should be able to scan with SPyBot or Ad-Aware to clean those out.

 

Or if you like being around me we can run another scan?...using a different tool.

 

Let's do it anyways...This tool has a high success rate.

 

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)

  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Post the DrWeb log in your next reply

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

Click here to Read Amazon Reviews!



×