Serious Redirect Problems

Am having serious redirect problems, even in Firefox

Keeps going from google to pantyhot.com or bxnu.com or jupk.com

Please help, as I thought Firefox was better than this:

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 01:12:44, on 02/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\BenQ\QMusic2\QMAgent.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\GSICON.EXE
D:\WINDOWS\system32\dslagent.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX34.875\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "
O4 - HKLM\..\Run: [QMusic] "D:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] "dslagent.exe" USB
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DigiTV.lnk = D:\Program Files\Nebula\DigiTV\DigiTV.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142760996374
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142795221140
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDCFDCE-FAAF-4BE6-84C6-A1D1958D05F8}: NameServer = 85.255.113.92 85.255.112.13
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

 

Hello and welcome to WindowsBBS Forums.

Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.


Not much showing in your log, tho the 017 lines could certainly indicate a hidden file, and perhaps a Wareout infection. Lets try the FixWareout tool and a couple of other file searching tools as well.

Step 1:
Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Step2:
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleeping Computing

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.
If you get a file output similar to below:

Go here and run the fix appropriate to your version of Windows:

http://www.tech-forums.net/computer/topic/29806.html

Then re-run FixWareout please, thanks.

Step3:
Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Step4:
Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
Then select 'Yes' to confirm the search.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

Step5:
Open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDCFDCE-FAAF-4BE6-84C6-A1D1958D05F8}: NameServer = 85.255.113.92 85.255.112.13


Reboot post a new HJT log back into this thread please along with the two previous log results.

 

Thanks for your help

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 08:53:57, on 02/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\BenQ\QMusic2\QMAgent.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\GSICON.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\dslagent.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "
O4 - HKLM\..\Run: [QMusic] "D:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] "dslagent.exe" USB
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DigiTV.lnk = D:\Program Files\Nebula\DigiTV\DigiTV.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142760996374
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142795221140
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

 

Silent Runners:

Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = " "D:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" [ "GRISOFT, s.r.o."]
"NvCplDaemon" = " "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = " "nwiz.exe" /install" [ "NVIDIA Corporation"]
"NvMediaCenter" = " "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"CTHelper" = "CTHELPER.EXE" [ "Creative Technology Ltd"]
"UpdReg" = "D:\WINDOWS\UpdReg.EXE" [ "Creative Technology Ltd."]
"Jet Detection" = " "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" " [empty string]
"NeroFilterCheck" = " "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" " [ "Nero AG"]
"QMusic" = " "D:\Program Files\BenQ\QMusic2\QMAgent.exe" " [empty string]
"SunJavaUpdateSched" = " "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" " [ "Sun Microsystems, Inc."]
"iTunesHelper" = " "D:\Program Files\iTunes\iTunesHelper.exe" " [ "Apple Computer, Inc."]
"QuickTime Task" = " "D:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"GSICONEXE" = "GSICON.EXE" [ "GlobeSpan, Inc."]
"DSLAGENTEXE" = " "dslagent.exe" USB" [null data]
"TkBellExe" = " "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"!AVG Anti-Spyware" = " "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" [ "Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class "
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension "
-> {HKLM...CLSID} = "AVG7 Find Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class "
-> {HKLM...CLSID} = "DesktopContext Class "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" [ "NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper "
-> {HKLM...CLSID} = "NVIDIA CPL Extension "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" [ "NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer "
-> {HKLM...CLSID} = "Desktop Explorer "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu "
-> {HKLM...CLSID} = "nView Desktop Context Menu "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler "
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class "
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" [ "Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler "
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class "
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" [ "Nero AG"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
"{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}" = "Context Menu Shell Extension "
-> {HKLM...CLSID} = "Context Menu Shell Extension "
\InProcServer32\(Default) = "D:\PROGRA~1\TAGREN~1\TRshell.dll" [ "Softpointer Inc"]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer "
-> {HKLM...CLSID} = "NOMAD Explorer "
\InProcServer32\(Default) = "D:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL" [ "Creative Technology Ltd"]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "My Phones "
-> {HKLM...CLSID} = "My Phones "
\InProcServer32\(Default) = "D:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" [ "Sony Ericsson Mobile Communications AB"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx "
-> {HKLM...CLSID} = "AlcoholShellEx "
\InProcServer32\(Default) = "D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" [ "Alcohol Soft Development Team"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5 "
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [ "Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler "
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class "
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" [ "Nero AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} "
-> {HKLM...CLSID} = "Context Menu Shell Extension "
\InProcServer32\(Default) = "D:\PROGRA~1\TAGREN~1\TRshell.dll" [ "Softpointer Inc"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B} "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [file not found]
TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} "
-> {HKLM...CLSID} = "Context Menu Shell Extension "
\InProcServer32\(Default) = "D:\PROGRA~1\TAGREN~1\TRshell.dll" [ "Softpointer Inc"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B} "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [file not found]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

D:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"DigiTV" -> shortcut to: "D:\Program Files\Nebula\DigiTV\DigiTV.exe SLEEP" [ "Nebula Electronics Ltd"]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"InterVideo WinCinema Manager" -> shortcut to: "D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [ "InterVideo Inc."]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "D:\Program Files\WinZip\WZQKPICK.EXE" [ "WinZip Computing LP"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in "
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06 "
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" [ "Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [ "GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" [ "GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" [ "GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "D:\WINDOWS\System32\CTsvcCDA.exe" [ "Creative Technology Ltd"]
iPodService, iPodService, "D:\Program Files\iPod\bin\iPodService.exe" [ "Apple Computer, Inc."]
NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\System32\nvsvc32.exe" [ "NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "D:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" [ "SEIKO EPSON CORPORATION"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 36 seconds.
---------- (total run time: 90 seconds)

 

Combofix log:

Administrator - 06-12-02 8:49:36.34 Service Pack 2
ComboFix 06.11.27W - Running from: "D:\Documents and Settings\Administrator\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-11-02 to 2006-12-02 ))))))))))))))))))))))))))))))))))


2006-12-02 00:53 <DIR> d-------- D:\fixwareout
2006-12-02 00:45 51,277 --a------ D:\WINDOWS\system32\csafc.exe
2006-11-18 08:14 3,968 --a------ D:\WINDOWS\system32\drivers\avgclean.sys
2006-11-18 08:14 18,240 --a------ D:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-17 03:01 <DIR> d-------- D:\Program Files\MSXML 4.0
2006-11-11 22:53 <DIR> d-------- D:\Program Files\Common Files\xing shared
2006-11-04 14:14 1,245,696 --a------ D:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-02 08:48 -------- d-------- D:\Program Files\Mozilla Firefox
2006-12-02 01:17 -------- d-------- D:\Documents and Settings\Administrator\Application Data\AVG7
2006-11-30 18:34 -------- d-------- D:\Program Files\eMule
2006-11-18 08:14 816672 --a------ D:\WINDOWS\system32\drivers\avg7core.sys
2006-11-18 08:14 4960 --a------ D:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-18 08:14 4224 --a------ D:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-18 08:14 28416 --a------ D:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-17 03:00 -------- d-------- D:\Program Files\Internet Explorer
2006-11-11 22:53 -------- d-------- D:\Program Files\Common Files\Real
2006-11-11 22:53 -------- d-------- D:\Program Files\Common Files
2006-10-13 12:35 65536 --a------ D:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ D:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ D:\WINDOWS\system32\nwprovau.dll
2006-10-13 10:23 163584 --a------ D:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-09 20:28 -------- d-------- D:\Program Files\Grisoft
2006-10-09 20:17 -------- d-------- D:\Program Files\Lavasoft
2006-10-09 20:17 -------- d-------- D:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-10-06 18:29 -------- d-------- D:\Program Files\ImTOO
2006-10-06 17:47 18312 --a------ D:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-09-13 05:01 1084416 --a------ D:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\system32\\ctfmon.exe "
"MSMSGS "= "\ "D:\\Program Files\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"NvCplDaemon "= "\ "RUNDLL32.EXE\" D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "\ "nwiz.exe\" /install "
"NvMediaCenter "= "\ "RUNDLL32.EXE\" D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"CTHelper "= "CTHELPER.EXE "
"UpdReg "= "D:\\WINDOWS\\UpdReg.EXE "
"Jet Detection "= "\ "D:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\" "
"NeroFilterCheck "= "\ "D:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\" "
"QMusic "= "\ "D:\\Program Files\\BenQ\\QMusic2\\QMAgent.exe\" "
"SunJavaUpdateSched "= "\ "D:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\" "
"iTunesHelper "= "\ "D:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"GSICONEXE "= "GSICON.EXE "
"DSLAGENTEXE "= "\ "dslagent.exe\" USB "
"TkBellExe "= "\ "D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"!AVG Anti-Spyware "= "\ "D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\System32\\CTFMON.EXE "
"AVG7_Run "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\System32\\CTFMON.EXE "
"AVG7_Run "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-12-02 8:50:20.82
D:\ComboFix.txt ... 06-12-02 08:50
D:\ComboFix2.txt ... 06-12-02 01:06
D:\ComboFix3.txt ... 06-10-12 17:52

 

Ok, all logs look clear, are you experiencing any more problems?

Also, did you get any results from the FixWareout tool? Let me know.

 

Biazzarely enough, I'm not experiencing any more problems. How did you know?

 

Well, actually now that I look again, I see one file, likely related to Wareout.

Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
D:\WINDOWS\system32\csafc.exe

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white "Delete File" button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Reboot, run ComboFix again please post log.

Btw, you still have not answered if the FixWareout tool found anything??

 

Thanks

Administrator - 06-12-03 11:43:31.65 Service Pack 2
ComboFix 06.11.27W - Running from: "D:\Documents and Settings\Administrator\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-11-03 to 2006-12-03 ))))))))))))))))))))))))))))))))))


2006-12-02 00:53 <DIR> d-------- D:\fixwareout
2006-11-18 08:14 3,968 --a------ D:\WINDOWS\system32\drivers\avgclean.sys
2006-11-18 08:14 18,240 --a------ D:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-17 03:01 <DIR> d-------- D:\Program Files\MSXML 4.0
2006-11-11 22:53 <DIR> d-------- D:\Program Files\Common Files\xing shared
2006-11-04 14:14 1,245,696 --a------ D:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-03 11:42 -------- d-------- D:\Program Files\Mozilla Firefox
2006-12-02 09:01 -------- d-------- D:\Program Files\eMule
2006-12-02 01:17 -------- d-------- D:\Documents and Settings\Administrator\Application Data\AVG7
2006-11-18 08:14 816672 --a------ D:\WINDOWS\system32\drivers\avg7core.sys
2006-11-18 08:14 4960 --a------ D:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-18 08:14 4224 --a------ D:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-18 08:14 28416 --a------ D:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-17 03:00 -------- d-------- D:\Program Files\Internet Explorer
2006-11-11 22:53 -------- d-------- D:\Program Files\Common Files\Real
2006-11-11 22:53 -------- d-------- D:\Program Files\Common Files
2006-10-13 12:35 65536 --a------ D:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ D:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ D:\WINDOWS\system32\nwprovau.dll
2006-10-13 10:23 163584 --a------ D:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-09 20:28 -------- d-------- D:\Program Files\Grisoft
2006-10-09 20:17 -------- d-------- D:\Program Files\Lavasoft
2006-10-09 20:17 -------- d-------- D:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-10-06 18:29 -------- d-------- D:\Program Files\ImTOO
2006-10-06 17:47 18312 --a------ D:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-09-13 05:01 1084416 --a------ D:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\system32\\ctfmon.exe "
"MSMSGS "= "\ "D:\\Program Files\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"NvCplDaemon "= "\ "RUNDLL32.EXE\" D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "\ "nwiz.exe\" /install "
"NvMediaCenter "= "\ "RUNDLL32.EXE\" D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"CTHelper "= "CTHELPER.EXE "
"UpdReg "= "D:\\WINDOWS\\UpdReg.EXE "
"Jet Detection "= "\ "D:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\" "
"NeroFilterCheck "= "\ "D:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\" "
"QMusic "= "\ "D:\\Program Files\\BenQ\\QMusic2\\QMAgent.exe\" "
"SunJavaUpdateSched "= "\ "D:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\" "
"iTunesHelper "= "\ "D:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"GSICONEXE "= "GSICON.EXE "
"DSLAGENTEXE "= "\ "dslagent.exe\" USB "
"TkBellExe "= "\ "D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"!AVG Anti-Spyware "= "\ "D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\System32\\CTFMON.EXE "
"AVG7_Run "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\System32\\CTFMON.EXE "
"AVG7_Run "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-12-03 11:44:19.64
D:\ComboFix.txt ... 06-12-03 11:44
D:\ComboFix2.txt ... 06-12-02 08:50
D:\ComboFix3.txt ... 06-12-02 01:06


Fixware out didn't seem to find anything

 

OK, everything looks good now.

I would suggest however you uninstall eMule, nothing but trouble waiting for you there. Not so much if you get a badly infected download, but when you're going to. Kind of like playing Russian roulette.


We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom