Sponsored By

Sign in to follow this  
tman70

Paypal Problem (resolved)

Recommended Posts

My son has a compaq Preario sr1012nx running Wxp home.

He can not open paypal. No links work. The only thing that works is the logon link and it tells him he has to resend all his information. Thankfully he knew better. If we use https and click a link it takes us back to the scam page.

Have run Trend micro online scan, adaware, spybot and avast, all updated, and found nothing.

Is there anything in the Highjackthis log?

Logfile of HijackThis v1.99.1

Scan saved at 7:40:50 AM, on 7/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\StartupMonitor.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63d

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O3 - Toolbar: ToolbarBrand - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Hits2uToolbar\Hits2uToolbar.dll

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - Startup: PowerReg Scheduler V3.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by tman70

Share this post


Link to post
Share on other sites

tman70,

There's not much jumping out at me in your log, except for maybe some leftovers, but let's run some things and see if anything comes up.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks,

sari

Share this post


Link to post
Share on other sites

Hello Sari,

Here is the file.

SmitFraudFix v2.203

Scan done at 18:10:35.70, Thu 07/12/2007

Run from C:\Documents and Settings\Owner\Desktop\smitfraudfix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\StartupMonitor.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport

DNS Server Search Order: 72.21.36.74

Description: Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) - Packet Scheduler Miniport

DNS Server Search Order: 72.21.36.74

HKLM\SYSTEM\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer=72.21.36.74

HKLM\SYSTEM\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer=72.21.36.74

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: DhcpNameServer=68.87.68.162 68.87.74.162

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer=72.21.36.74

HKLM\SYSTEM\CS1\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer=72.21.36.74

HKLM\SYSTEM\CS1\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer=72.21.36.74

HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: DhcpNameServer=68.87.68.162 68.87.74.162

HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer=72.21.36.74

HKLM\SYSTEM\CS3\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer=72.21.36.74

HKLM\SYSTEM\CS3\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer=72.21.36.74

HKLM\SYSTEM\CS3\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: DhcpNameServer=68.87.68.162 68.87.74.162

HKLM\SYSTEM\CS3\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer=72.21.36.74

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

tman70,

Ok, that one is clean. Let's try a more generalized scan that will show me more files.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com

* techsupportforum.com

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Thanks,

sari

Share this post


Link to post
Share on other sites

Sari,

Here is the combo scan and HJT scan.

"Owner" - 2007-07-13 12:07:27 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\aimsmx.dll

C:\WINDOWS\system32\aosmx.dll

C:\WINDOWS\system32\gtalsmx.dll

C:\WINDOWS\system32\pfxzmtaim.dll

C:\WINDOWS\system32\pfxzmtgtal.dll

C:\WINDOWS\system32\pfxzmticq.dll

C:\WINDOWS\system32\pfxzmtymsg.dll

C:\WINDOWS\system32\sfxzmtforum.dll

C:\WINDOWS\system32\sfxzmtsmt.dll

C:\WINDOWS\system32\sfxzmtsmtspm.dll

C:\WINDOWS\system32\sfxzmtwbmail.dll

C:\WINDOWS\system32\srvswc2.dll

C:\WINDOWS\system32\ymsgsmx.dll

((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))

2007-07-13 12:06 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-12 18:10 1,290 --a------ C:\WINDOWS\system32\tmp.reg

2007-07-12 18:09 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-07-12 18:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-07-12 18:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-07-12 17:18 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-07-12 17:15 12,413,440 --a------ C:\Program Files\avgas-setup-7.5.1.43.exe

2007-07-12 11:14 <DIR> d-------- C:\Program Files\a-squared Free

2007-07-12 11:12 17,039,544 --a------ C:\Program Files\a2FreeSetup.exe

2007-07-12 09:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-07-12 09:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

2007-07-11 13:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-07-11 07:59 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys

2007-07-11 07:58 <DIR> d-------- C:\WINDOWS\LastGood

2007-07-10 20:21 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6

2007-07-10 17:34 73,641,510 --a------ C:\regrestore.reg

2007-07-10 17:00 <DIR> d-------- C:\WINDOWS\pss

2007-07-10 13:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Leadertech

2007-07-09 16:39 251,392 --a------ C:\Program Files\hijackthis_sfx.exe

2007-07-09 10:36 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-07-09 10:36 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

2007-07-07 12:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Template

2007-07-01 10:11 <DIR> d-------- C:\Program Files\Apense Express

2007-06-17 11:32 <DIR> d-------- C:\Program Files\Flickr Uploadr

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 02:23:12 -------- d-----w C:\Program Files\AM Browser

2007-07-11 00:20:25 -------- d-----w C:\Program Files\SpywareBlaster

2007-07-10 19:15:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Sonic

2007-07-10 01:03:57 0 ----a-w C:\WINDOWS\system32\dummy.dat

2007-07-10 01:02:52 -------- d-----w C:\Program Files\Google

2007-07-10 00:12:49 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-07-10 00:12:36 -------- d-----w C:\Program Files\Quicken

2007-07-10 00:11:00 -------- d-----w C:\Program Files\MySpace

2007-07-10 00:10:33 -------- d-----w C:\Program Files\MUSICMATCH

2007-07-07 18:19:55 -------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2006-11-08 03:00:43 136,844 ----a-w C:\Program Files\getFile.asp

2006-11-07 15:57:40 54,272 ----a-w C:\Program Files\Cleanup Saves Cookies 2K,XP incl Java.exe

2006-11-06 23:22:52 703,829 ----a-w C:\Program Files\ambrowser.exe

2006-11-06 20:18:22 248,200 ----a-w C:\Program Files\xxcopy.zip

2006-11-06 18:01:33 1,035,200 ----a-w C:\Program Files\wpsetup.exe

2006-11-06 18:01:29 297,192 ----a-w C:\Program Files\wmpplugin.exe

2006-11-06 18:01:29 2,417,824 ----a-w C:\Program Files\winzip90.exe

2006-11-06 18:01:03 61,410 ----a-w C:\Program Files\StartupMonitor.zip

2006-11-06 18:01:03 58,671 ----a-w C:\Program Files\StartupCPL.zip

2006-11-06 18:00:54 528 ----a-w C:\Program Files\SETUP.ISS

2006-11-06 18:00:54 320,584 ----a-w C:\Program Files\RegSeeker.zip

2006-11-06 18:00:54 30,720 ----a-w C:\Program Files\REGSVR32.EXE

2006-11-06 18:00:54 29,959 ----a-w C:\Program Files\regsv32a.exe

2006-11-06 18:00:54 23,552 ----a-w C:\Program Files\SetCDfmt.exe

2006-11-06 18:00:54 2,036 ----a-w C:\Program Files\Setup.ini

2006-11-06 18:00:54 156,824 ----a-w C:\Program Files\SETUP.INX

2006-11-06 18:00:54 139,264 ----a-w C:\Program Files\Setup.exe

2006-11-06 18:00:54 1,239 ----a-w C:\Program Files\REGSV32A.TXT

2006-11-06 18:00:53 3,087 ----a-w C:\Program Files\README.TXT

2006-11-06 18:00:51 6,113,439 ----a-w C:\Program Files\pci_filerecovery.exe

2006-11-06 18:00:48 3,846,436 ----a-w C:\Program Files\ow32enen802.exe

2006-11-06 17:59:07 1,938,558 ----a-w C:\Program Files\maxblast4.exe

2006-11-06 17:58:57 14,480,772 ----a-w C:\Program Files\Legacy40.exe

2006-11-06 17:58:56 422 ----a-w C:\Program Files\LAYOUT.BIN

2006-11-06 17:58:51 16,508,560 ----a-w C:\Program Files\jre-1_5_0_09-windows-i586-p.exe

2006-11-06 17:58:30 4,928,507 ----a-w C:\Program Files\intel82801.zip

2006-11-06 17:58:24 339,565 ----a-w C:\Program Files\IKERNEL.EX_

2006-11-06 17:58:24 2,564,187 ----a-w C:\Program Files\ieSpellSetup211325.exe

2006-11-06 17:58:24 1,577,619 ----a-w C:\Program Files\infinst_enu.exe

2006-11-06 17:58:22 511,616 ----a-w C:\Program Files\ie5setup.exe

2006-11-06 17:58:22 508,240 ----a-w C:\Program Files\ie6setup.exe

2006-11-06 17:58:22 302,592 ----a-w C:\Program Files\ie-spyad.exe

2006-11-06 17:58:22 288,093 ----a-w C:\Program Files\icon_restore.exe

2006-11-06 17:58:22 2,122,429 ----a-w C:\Program Files\fsc130.exe

2006-11-06 17:58:21 11,079 ----a-w C:\Program Files\folder.htt

2006-11-06 17:58:20 5,127,800 ----a-w C:\Program Files\Firefox Setup 1.5.0.7.exe

2006-11-06 17:58:13 925,184 ----a-w C:\Program Files\epsetup.exe

2006-11-06 17:58:13 2,995,547 ----a-w C:\Program Files\everesthome200.exe

2006-11-06 17:58:11 433,971 ----a-w C:\Program Files\enditall.exe

2006-11-06 17:58:09 12,425,080 ----a-w C:\Program Files\dklite.exe

2006-11-06 17:58:08 5,079,040 ----a-w C:\Program Files\Diskeeper Lite.msi

2006-11-06 17:58:07 867,386 ----a-w C:\Program Files\DATA1.CAB

2006-11-06 17:58:07 512 ----a-w C:\Program Files\DATA2.CAB

2006-11-06 17:58:07 27,058 ----a-w C:\Program Files\DATA1.HDR

2006-11-06 17:58:06 172,032 ----a-w C:\Program Files\CrucialScan.exe

2006-11-06 17:57:20 714,827 ----a-w C:\Program Files\cbsetup.exe

2006-11-06 17:57:19 618,936 ----a-w C:\Program Files\belarcadvisor v6.1f.exe

2006-11-06 17:57:17 335,624 ----a-w C:\Program Files\ba.exe

2006-11-06 17:57:14 1,033,579 ----a-w C:\Program Files\autostitch.zip

2006-11-06 17:57:00 1,822,312 ----a-w C:\Program Files\AiRoboForm5.7.exe

2006-11-06 17:56:45 351,192 ----a-w C:\Program Files\adrmpro2.exe

2006-11-06 17:56:18 19,879,224 ----a-w C:\Program Files\AdbeRdr602_ece_full.exe

2006-11-06 17:56:15 1,819,984 ----a-w C:\Program Files\Acro-Reader_603_Update.exe

2006-11-06 17:56:14 1,391,254 ----a-w C:\Program Files\absetup131.exe

2006-11-06 17:56:13 1,166,330 ----a-w C:\Program Files\absetup100035.exe

2006-11-06 17:56:02 7,113,909 ----a-w C:\Program Files\4110293.zip

2006-11-06 17:56:01 417,104 ----a-w C:\Program Files\329115USA8.EXE

2006-11-06 01:11:17 278,927,592 ----a-w C:\Program Files\WindowsXP-KB835935-SP2-ENU.exe

2006-11-05 21:21:59 5,037,072 ----a-w C:\Program Files\spybotsd14.exe

2006-11-05 21:19:54 12,099,848 ----a-w C:\Program Files\setupeng.exe

2006-11-05 21:03:49 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe

2006-11-05 21:00:26 2,566,736 ----a-w C:\Program Files\spywareblastersetup351.exe

2006-11-05 20:53:20 5,900,416 ----a-w C:\Program Files\Firefox Setup 2.0.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]

2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2003-05-15 09:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]

2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A519CE41-E431-407D-8A79-B8FA3FBEBD0A}]

2007-02-20 02:36 868424 --a------ C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 09:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"100"=C:\SysMa2\svchost.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 06:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cf84f7c-6d32-11db-918d-806d6172696f}]

AutoRun\command- D:\Info.exe folder.htt 480 480

*Newly Created Service* - A2FREE

*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER

*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD

*Newly Created Service* - CO_MON

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-13 12:10:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-13 12:11:05

C:\ComboFix-quarantined-files.txt ... 2007-07-13 12:10

--- E O F ---

Logfile of HijackThis v1.99.1

Scan saved at 12:13:56 PM, on 7/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\StartupMonitor.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63d

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Share this post


Link to post
Share on other sites

tman70,

Show Hidden Files

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

I'd like you to see if you can find the following file:

C:\SysMa2\svchost.exe

If so, please do the following:

Right click on the folder - c:\SysMa2 - and select Send to Compressed Folder. It will create a zipped folder in the same directory.

Please go to Uploadmalware to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for the zipped folder you just created in c:\SysMa2
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

The combofix program did clean some files up - you had an email trojan. However, I don't like the looks of that above entry, and I'd like to get it analyzed if possible.

Thanks,

sari

Edited by sari

Share this post


Link to post
Share on other sites
tman70,

Show Hidden Files

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

I'd like you to see if you can find the following file:

C:\SysMa2\svchost.exe

If so, please do the following:

Right click on the folder - c:\SysMa2 - and select Send to Compressed Folder. It will create a zipped folder in the same directory.

Please go to Uploadmalware to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for the zipped folder you just created in c:\SysMa2
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

The combofix program did clean some files up - you had an email trojan. However, I don't like the looks of that above entry, and I'd like to get it analyzed if possible.

Thanks,

sari

Sari

I did the first steps and then went to c drive. There is nothing showing in the folder and if I right click and send to compressed folder it says the folder is empty and can not be archived. In the left hand panel the detail panel says " attribute:hidden".

What should I do now?

Share this post


Link to post
Share on other sites

tman70,

I believe that's telling me that file no longer exists - there's a registry entry pointing to it, but the file itself is gone, which is a good thing (except I would have like to have known what it was!). The attributes were hidden because it was a hidden directory - even though you had unhidden everything, the attributes would remain the same.

Are you still having the redirections on secure links?

sari

Share this post


Link to post
Share on other sites
tman70,

I believe that's telling me that file no longer exists - there's a registry entry pointing to it, but the file itself is gone, which is a good thing (except I would have like to have known what it was!). The attributes were hidden because it was a hidden directory - even though you had unhidden everything, the attributes would remain the same.

Are you still having the redirections on secure links?

sari

Sari

Thank you for explaining. I thought that was the reason, but was not sure.

I don't know what my son deleted when he started having problems.

He goes on to work and lets me figure out how to correct the problems. LOL

The original paypal page will come up with the lock at the lower right bottom.

However when you click a link it takes you to a log in pagewithout the lock.

The certificate for Paypal is still snakeoil.dom

I ran a Kaspersky scan yesterday and it says the only virus he has is:

Smitfraudfix\reboot.exe (which we know what that is)

and

c\hp\bin\killwind.exe (which is a compaq program he doesn't need and will be removed later)

There is a registry key:

HKEY_Current_User\software\microsoft\windows\current version\policies\explorer\run\c:\SysMa2\svchost.exe

Should I delete this key or is there something else i should do first?

Edited by tman70

Share this post


Link to post
Share on other sites

tman70,

We'll get rid of the key, but since that file seems to be gone, I don't think it's the issue. I'm trying to do some research on other ways to get rid of this. In the meantime, I want you to run a rootkit scanner.

Download GMER from here:

http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.

Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.

Click on Scan.

When the scan has run click Copy and paste the results (if any) into this thread.

Thanks,

sari

Share this post


Link to post
Share on other sites

sari

Here is the file from the GMER program.

GMER 1.0.13.12551 - http://www.gmer.net

Rootkit scan 2007-07-18 11:55:53

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F738DF74] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F738C812] aswMon2.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F5F2C0] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F9F5F8E6] aswTdi.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F738DF74] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F738C812] aswMon2.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F738C812] aswMon2.SYS

---- EOF - GMER 1.0.13 ----

Share this post


Link to post
Share on other sites

tman70,

Well, nothing is showing there. I'm going to have you run scan that is similar to the combofix I had you run, but should be more detailed.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Thanks,

sari

Share this post


Link to post
Share on other sites
tman70,

Well, nothing is showing there. I'm going to have you run scan that is similar to the combofix I had you run, but should be more detailed.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Thanks,

sari

Sari

Here are the main.txt and extra.txt files

Thanks for all your help.

main.txt

Deckard's System Scanner v20070711.54

Run by Owner on 2007-07-18 at 14:29:18

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --

1: 2007-07-18 20:29:31 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 2:31:53 PM, on 7/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\StartupMonitor.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Owner\Desktop\dss.exe

C:\PROGRA~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63d

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys

S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Files created between 2007-06-18 and 2007-07-18 -----------------------------

2007-07-18 12:04:11 0 d-------- C:\Documents and Settings\Default User\Recent

2007-07-18 12:04:09 0 d-------- C:\Documents and Settings\Owner\Recent

2007-07-17 09:32:06 74159012 --a------ C:\regrestore.reg

2007-07-12 18:10:48 1290 --a------ C:\WINDOWS\system32\tmp.reg

2007-07-12 18:09:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-07-12 18:09:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-07-12 17:18:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft

2007-07-12 17:18:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-07-12 11:14:53 0 d-------- C:\Program Files\a-squared Free

2007-07-12 09:58:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-07-12 09:58:17 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-07-11 13:48:57 0 d-------- C:\WINDOWS\system32\ActiveScan

2007-07-11 07:59:07 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys

2007-07-10 20:21:12 0 d-------- C:\Documents and Settings\Owner\.housecall6.6

2007-07-10 17:00:07 0 d-------- C:\WINDOWS\pss

2007-07-10 13:14:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Leadertech

2007-07-09 16:39:52 251392 --a------ C:\Program Files\hijackthis_sfx.exe

2007-07-09 10:36:58 0 d-------- C:\Program Files\Microsoft ActiveSync

2007-07-09 10:36:56 0 d-------- C:\Program Files\Microsoft.NET

2007-07-07 12:23:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Template

2007-07-01 10:11:49 0 d-------- C:\Program Files\Apense Express

-- Find3M Report ---------------------------------------------------------------

2007-07-10 20:23:12 0 d-------- C:\Program Files\AM Browser

2007-07-10 18:20:25 0 d-------- C:\Program Files\SpywareBlaster

2007-07-10 13:15:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Sonic

2007-07-09 19:03:57 0 --a------ C:\WINDOWS\system32\dummy.dat

2007-07-09 19:02:52 0 d-------- C:\Program Files\Google

2007-07-09 18:12:49 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-07-09 18:12:36 0 d-------- C:\Program Files\Quicken

2007-07-09 18:11:00 0 d-------- C:\Program Files\MySpace

2007-07-09 18:10:33 0 d-------- C:\Program Files\MUSICMATCH

2007-07-07 12:19:55 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint

2007-07-01 09:12:07 0 d-------- C:\Program Files\Java

2007-06-17 11:32:05 0 d-------- C:\Program Files\Flickr Uploadr

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

{A519CE41-E431-407D-8A79-B8FA3FBEBD0A} C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Run StartupMonitor"="StartupMonitor.exe"

"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"100"="C:\\SysMa2\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"eitheror"="{2016a466-91a2-43c6-97d8-2fd380f065ef}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\

Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\

Notification Packages REG_MULTI_SZ scecli\

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

HTTPFilter REG_MULTI_SZ HTTPFilter\

DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

-- End of Deckard's System Scanner: finished at 2007-07-18 at 14:33:27 ---------

extra.txt

Deckard's System Scanner v20070711.54

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

CPU 0: AMD Athlon XP 3000+

Percentage of Memory in Use: 79%

Physical Memory (total/avail): 191.36 MiB / 38.42 MiB

Pagefile Memory (total/avail): 490.55 MiB / 254.25 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1975.05 MiB

A: is Removable (No Media)

C: is Fixed (NTFS) - 70.31 GiB total, 61.82 GiB free.

D: is Fixed (FAT32) - 4.2 GiB total, 0.69 GiB free.

E: is CDROM (No Media)

F: is CDROM (No Media)

H: is Removable (No Media)

I: is Removable (No Media)

J: is Removable (No Media)

K: is Removable (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.

Windows Internal Firewall is enabled.

AV: avast! antivirus 4.7.1001 [VPS 000757-3] v4.7.1001 (ALWIL Software)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Owner\Application Data

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=DAVID

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Owner

LOGONSERVER=\\DAVID

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0a00

ProgramFiles=C:\Program Files

PROMPT=$P$G

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp

TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp

USERDOMAIN=DAVID

USERNAME=Owner

USERPROFILE=C:\Documents and Settings\Owner

windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature

--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"

--> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

a-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"

ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}

Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Add/Remove Pro --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\ADRMPRO2.INF, DefaultUninstall.ntx86

Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q

Adobe Photoshop Album Starter Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{483616D1-867E-46F8-BEC7-3C6475933908}\apxp.ex_" -l0x9

Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}

Agere Systems PCI Soft Modem --> agrsmdel

AM Browser version 2.0.1 --> "C:\Program Files\AM Browser\unins000.exe"

Apsense Express --> C:\Program Files\Apense Express\uninst.exe

avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup

AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe

Bounce Symphony from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe"

Compaq Connections --> C:\WINDOWS\BWUnin-6.2.3.66L.exe -AppId 1940576

Compaq Instant Support --> C:\PROGRA~1\COMPAQ~2\UNWISE.EXE C:\PROGRA~1\COMPAQ~2\INSTALL.LOG

Compaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL

Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0613467F-A45E-4CB1-9ECE-1F3DD79FB927} /l1033

End It All --> C:\PROGRA~1\EndItAll\UNWISE.EXE C:\PROGRA~1\EndItAll\INSTALL.LOG

Excavation from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C679AA5F-C2C8-4EA8-9CD1-504A39AEC264\Uninstall.exe"

Flickr Uploadr 2.5.0.15 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"

HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall

HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}

HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat

HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat

HP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat

HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}

Icon Restore 1.0 --> C:\WINDOWS\unins000.exe

IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9

InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL

IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe

J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}

Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}

Java SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}

Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

KBD --> C:\HP\KBD\KBD.EXE uninstalled

Lexmark X74-X75 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBBUN5C.EXE -dLexmark X74-X75

Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}

MGI PhotoSuite 4 (Remove Only) --> "C:\Program Files\MGI\MGI PhotoSuite 4\System\MGIUninstall.exe" C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\MGI PhotoSuite 4\Uninst.isu" -c"C:\Program Files\MGI\MGI PhotoSuite 4\System\CustomUninstall.dll"

Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}

Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}

Microsoft Word 2000 SR-1 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}

Microsoft Works 2001 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe E:\

Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}

Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}

Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}

Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Multimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF9967D8-1999-4260-ACC2-86901AA36650}

Norton PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}

NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver

NVIDIA Ethernet Driver --> C:\WINDOWS\System32\nvuenet.exe Uninstall C:\WINDOWS\System32\Nvenet.nvu,NVIDIA Ethernet Driver

NVIDIA GART Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver

Orbital from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\Uninstall.exe"

Otto from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8A225900-C06D-41DD-B66C-43840D472758\Uninstall.exe"

Overball from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe"

PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"

PC Inspector File Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9

Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat

Polar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games5E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"

PS2 --> C:\WINDOWS\system32\ps2.exe uninstall

Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log

Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG

QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log

RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0

RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}

Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"

Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"

Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe"

Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}

SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG

Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"

SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"

StartupMonitor --> MsiExec.exe /I{76EFAC4F-1712-401F-B2AE-590B170C9BCE}

ToolbarBrand --> regsvr32 /u /s "C:\Program Files\Hits2uToolbar\Hits2uToolbar.dll"

Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u

Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe

Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL

Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

Yahoo! Photos Easy Upload Tool --> C:\Program Files\Yahoo!\Common\ydropper_uninst.exe /ylog=C:\PROGRA~1\Yahoo!\Photos\Uploader\install.log

Yahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"

Yahoo! Photos Print-at-Home Tool --> C:\WINDOWS\unins001.exe

Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- End of Deckard's System Scanner: finished at 2007-07-18 at 14:33:27 ---------

Thanks

Tman70

Share this post


Link to post
Share on other sites

tman,

Several questions for you.

1) Is this computer networked, and do you have a router

2) Is Comcast your ISP?

I have some things for you to try - I'm putting them together in a response right now. However, there is a suspicious IP address that might be the source of your issue.

sari

Share this post


Link to post
Share on other sites
tman,

Several questions for you.

1) Is this computer networked, and do you have a router

2) Is Comcast your ISP?

I have some things for you to try - I'm putting them together in a response right now. However, there is a suspicious IP address that might be the source of your issue.

sari

sari

Comcast is our ISP.

His computer is not networked.

We are both connected through the same 4 port router.

Linksys

model #BEFSR41 ver.2

We can access our respective paypal accounts from my computer as it has the paypal certificate.

His computer still has the snakeoil.dom certificate.

Is there any other information you need?

Tman70

Share this post


Link to post
Share on other sites

tman70,

What we're going to do is reset your network information, especially your DNS servers. The following line appears to be redirecting you:

O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74

If I look up that address, it appears to go to a company called Layered Tech, in Texas, but it actually resolves to a Brazilian address. This is what I'd like you to do. You may want to print these instructions, as I'm going to have you go offline for part of the fix.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74

Now close all windows other than HiJackThis, then click Fix Checked.

I'm going to want you to shut off your router and your PCs for a while - at least an hour. Before you do, however, I need you to do the following on each PC:

Go to Start > Run and type cmd.

Type ipconfig /flushdns and hit enter.

Shut off your PCs. When you turn them back on, repeat the above command. Then type:

ipconfig /renew

That will get new network addresses for you. I know your PC is ok, but I'd rather clear them both and your router to be on the safe side.

After you've done that, please post a new hijackthis log and let me know if you can access Paypal properly on your son's machine.

Also, could you ask your son what files, if any, he deleted? I'd be curious to know if there was something he could pinpoint that might have been the source of this.

If you have any questions about my instructions, please ask before you follow them.

Thanks,

sari

Share this post


Link to post
Share on other sites
tman,

Sure. I want to clear all the network equipment of any existing IP addresses.

sari,

Thank you so much. What a relief.

That has eliminated the problem.

Paypal site now works and the certificate is for paypal.

My son had already changed his name and password thru my computer when this started so I guess he is safe there.

However he does not remember what he removed with the spyware and virus programs.

Do I need a special uninstaller for the programs you had me download to his desktop

dss.exe-smitfraudfix-GMER-combofix

or do I just delete them and do search in the registry for left overs?

Now I am going to start checking on removing a lot of compaq programs he doesn't need and see if I can clean his computer a little better.

Thanks again for the time and effort you put into this.

Tman70 :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup:

Here is the HJT log

Logfile of HijackThis v1.99.1

Scan saved at 4:58:02 PM, on 7/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\StartupMonitor.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\WordWeb\wweb32.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....02de7a766c9c63d

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: TBSB06220 - {A519CE41-E431-407D-8A79-B8FA3FBEBD0A} - C:\PROGRA~1\HITS2U~1\HITS2U~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Share this post


Link to post
Share on other sites

tman70,

You can just delete the programs I had you download.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

That's just a leftover, but no point in leaving it in there. I'm glad everything is good now - it's not fun thinking your PC is compromised like that. I'm glad I could be of assistance.

sari

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this