1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Please Help - Search Engine (google) forcing unwanted redirections

Discussion in 'Malware and Virus Removal Archive' started by dolbus, 2006/11/24.

  1. 2006/11/24
    dolbus

    dolbus Inactive Thread Starter

    Joined:
    2006/11/24
    Messages:
    15
    Likes Received:
    0
    I am wondering if someone is able to help me...
    I have found that some sort of spyware has infiltrated my computer and now has caused my search engines to redirect search results, specifically in Google when in IE 7.0 (the same problem does NOT occur (yet) when I use Google with Mozilla Firefox). There does not seem to be one specific redirection, but a host of them including sending my search result links instead to:Toseeka, BTcars, Up-search, webfinder360, etc.

    I have run all spyware hunters that I have, (Spyhunter, SpySweeper, AVG AntiSpyware, Windows Defender), and I have run ccleaner, and still no solution. I recently was able to remove an incursion by VirusBursters and it has not popped back up, but I am wondering if this little trick is a holdover effect.

    At this point, I cannot even determine what virus / spyware / adware / bot is in there because nothing is being identified in the sweeps.

    I am posting my HijackThis log and hope that someone may have an idea...
    -Dave

    HIJACK LOG:
    Logfile of HijackThis v1.99.1
    Scan saved at 11:21:15 AM, on 11/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Enigma Software Group\EnigmaFireWall\EnigmaFirewall.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\eFax Messenger Plus\HotTray.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Iomega\Iomega Backup\dtsc.exe
    C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.east.cox.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [GC75-Manager-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe" -startup
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Enigma Firewall] C:\Program Files\Enigma Software Group\EnigmaFireWall\EnigmaFirewall.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Pro\CAgent.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [XFILTER] C:\Program Files\Enigma Software Group\EnigmaFireWall\ESPfSdk.dll
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1143601053068
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1146100812312
    O17 - HKLM\System\CCS\Services\Tcpip\..\{271518F8-11BC-49BE-986D-72A2FDC098F4}: NameServer = 85.255.114.90,85.255.112.92
    O17 - HKLM\System\CCS\Services\Tcpip\..\{360BDA84-314C-41B6-A35F-07622FA4BD8F}: NameServer = 85.255.114.90,85.255.112.92
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC23BB9-239F-4063-95C0-F1F197527156}: NameServer = 85.255.114.90,85.255.112.92
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5E8D5642-70AB-49B3-A0EE-B97801D0C8E6}: NameServer = 85.255.114.90,85.255.112.92
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88A5018E-23F3-498C-B8CB-19EB8A3F8B54}: NameServer = 85.255.114.90,85.255.112.92
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A4A4CD76-2126-49DB-8671-C7EFE0BD1178}: NameServer = 85.255.114.90,85.255.112.92
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F99EAF2B-0B36-4712-B895-89845EDB5DBD}: NameServer = 85.255.114.90,85.255.112.92
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
    O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
    O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
    dolbus,
    #1
  2. 2006/11/24
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.

    Alot of those SmithFraud\Zlob infection, such as the VirusBurster come with extras that alot of regular scanners may miss.

    The 017 entries point to a possible lurking file.

    Lets get an anti-spyware scan, an online scan and a file search tool working to see what is found.


    Download AVG Anti-Spyware 7.5 formerly Ewido Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
    • Under "Reports "
    • Select "Automatically generate report after every scan "
    • Un-Select "Only if threats were found "
    Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

    Reboot, into safe mode, this way:
    • Turn on the computer
    • Immediately begin tapping the <F8> key.
    • Use the arrow keys to highlight Safe Mode and press the <Enter> key.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process.

    Launch ewido-anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
    • ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions "
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.([SIZE= "2"]Please edit out any cookie, Recyler and System Volume Information Folder references from the log[/SIZE])


    Go to this page, Panda ActiveScan
    • Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
    • Then press the green 'Check Now' button.
    • Enter your country and state along with a valid email address.
    • Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
    • Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
    • Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

    Please download SilentRunners from here

    Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

    Please post the entire contents of this logfile created back into this thread for me to see.
     
    TeMerc,
    #2


  3. to hide this advert.

  4. 2006/11/25
    dolbus

    dolbus Inactive Thread Starter

    Joined:
    2006/11/24
    Messages:
    15
    Likes Received:
    0
    TeMerc,

    I have done what you said to do. I am posting each log in a separate posting. AVG:

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:19:23 AM 11/25/2006

    + Scan result:



    [200] VM_00D70000 -> Downloader.Zlob.aty : Cleaned with backup (quarantined).
    [224] VM_00C20000 -> Downloader.Zlob.aty : Cleaned with backup (quarantined).
    [916] VM_00B40000 -> Downloader.Zlob.aty : Cleaned with backup (quarantined).
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@2o7[1].txt.dat/Documents and Settings/Owner/Cookies/owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@ads.addynamix[2].txt.dat/Documents and Settings/Owner/Cookies/owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@adrevolver[1].txt.dat/Documents and Settings/Owner/Cookies/owner@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@advertising[1].txt.dat/Documents and Settings/Owner/Cookies/owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@servedby.advertising[2].txt.dat/Documents and Settings/Owner/Cookies/owner@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@atdmt[2].txt.dat/Documents and Settings/Owner/Cookies/owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@burstnet[2].txt.dat/Documents and Settings/Owner/Cookies/owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@www.burstnet[1].txt.dat/Documents and Settings/Owner/Cookies/owner@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@casalemedia[2].txt.dat/Documents and Settings/Owner/Cookies/owner@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@doubleclick[1].txt.dat/Documents and Settings/Owner/Cookies/owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@fastclick[2].txt.dat/Documents and Settings/Owner/Cookies/owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@media.fastclick[1].txt.dat/Documents and Settings/Owner/Cookies/owner@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@findwhat[1].txt.dat/Documents and Settings/Owner/Cookies/owner@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@mediaplex[1].txt.dat/Documents and Settings/Owner/Cookies/owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@paycounter[2].txt.dat/Documents and Settings/Owner/Cookies/owner@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@questionmarket[1].txt.dat/Documents and Settings/Owner/Cookies/owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@questionmarket[2].txt.dat/Documents and Settings/Owner/Cookies/owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@revenue[2].txt.dat/Documents and Settings/Owner/Cookies/owner@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@edge.ru4[1].txt.dat/Documents and Settings/Owner/Cookies/owner@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@sexlist[2].txt.dat/Documents and Settings/Owner/Cookies/owner@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@counter4.sextracker[2].txt.dat/Documents and Settings/Owner/Cookies/owner@counter4.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@counter7.sextracker[2].txt.dat/Documents and Settings/Owner/Cookies/owner@counter7.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@sextracker[1].txt.dat/Documents and Settings/Owner/Cookies/owner@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@trafficmp[2].txt.dat/Documents and Settings/Owner/Cookies/owner@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@tribalfusion[2].txt.dat/Documents and Settings/Owner/Cookies/owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@xxxcounter[1].txt.dat/Documents and Settings/Owner/Cookies/owner@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned.
    C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@ad.yieldmanager[1].txt.dat/Documents and Settings/Owner/Cookies/owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end

    Panda Scan is next
     
    dolbus,
    #3
  5. 2006/11/25
    dolbus

    dolbus Inactive Thread Starter

    Joined:
    2006/11/24
    Messages:
    15
    Likes Received:
    0
    TeMerc,

    Here is the Panda Scan and Silent Runners

    Panda Scan


    Incident Status Location

    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@media.adrevolver[1].txt.dat[Documents and Settings/Owner/Cookies/owner@media.adrevolver[1].txt]
    Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@realmedia[1].txt.dat[Documents and Settings/Owner/Cookies/owner@realmedia[1].txt]
    Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@realmedia[2].txt.dat[Documents and Settings/Owner/Cookies/owner@realmedia[2].txt]
    Spyware:Cookie/Searchportal Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\owner@searchportal.information[1].txt.dat[Documents and Settings/Owner/Cookies/owner@searchportal.information[1].txt]
    Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00001632.MOZ[.did-it.com/]
    Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00001642.MOZ[.did-it.com/]
    Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00001645.MOZ[.did-it.com/]
    Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00001651.MOZ[.did-it.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\RECYCLER\NPROTECT\00052903.MOZ[.adultfriendfinder.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\RECYCLER\NPROTECT\00052906.MOZ[.adultfriendfinder.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\RECYCLER\NPROTECT\00052908.MOZ[.adultfriendfinder.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\RECYCLER\NPROTECT\00052956.MOZ[.adultfriendfinder.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\RECYCLER\NPROTECT\00052977.MOZ[.adultfriendfinder.com/]
    and Silent Runners

    "Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++} "


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "Norton SystemWorks" = " "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz" [ "Symantec Corporation"]
    "spc_w" = " "C:\Program Files\NZSearch\nzspc.exe" -w" [ "United Online, Inc."]
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" [ "Ahead Software Gmbh"]
    "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ "Synaptics, Inc."]
    "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ "Synaptics, Inc."]
    "IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" [ "Intel Corporation"]
    "HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" [ "Intel Corporation"]
    "Persistence" = "C:\WINDOWS\system32\igfxpers.exe" [ "Intel Corporation"]
    "Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE "
    "RemoteControl" = " "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" " [ "Cyberlink Corp."]
    "ccApp" = " "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" " [ "Symantec Corporation"]
    "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" [ "Symantec Corporation"]
    "GC75-Manager-Class" = " "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe" -startup" [ "Broadcom Corporation"]
    "Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ "Hewlett-Packard"]
    "HP Component Manager" = " "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" " [ "Hewlett-Packard Company"]
    "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" [ "FUJI PHOTO FILM CO., LTD."]
    "Enigma Firewall" = "C:\Program Files\Enigma Software Group\EnigmaFireWall\EnigmaFirewall.exe" [ "Enigma Software Group, Inc."]
    "Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ "Microsoft® Corporation"]
    "HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ "Hewlett-Packard Co."]
    "HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [ "HP"]
    "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ "Sun Microsystems, Inc."]
    "iTunesHelper" = " "C:\Program Files\iTunes\iTunesHelper.exe" " [ "Apple Computer, Inc."]
    "QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
    "Windows Defender" = " "C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
    "ABBYY Community Agent" = "C:\Program Files\ABBYY FineReader 5.0 Pro\CAgent.exe" [ "ABBYY (BIT Software)"]
    "IntelZeroConfig" = " "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" " [ "Intel Corporation"]
    "IntelWireless" = " "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" [ "Intel Corporation"]
    "AS00_Gear511" = "C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide" [empty string]
    "SpyHunter" = "*i" (unwritable string) [file not found]
    "XFILTER" = "C:\Program Files\Enigma Software Group\EnigmaFireWall\ESPfSdk.dll" [ "Enigma Software Group, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class "
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class "
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Helper "
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" [ "Google Inc."]
    {AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEToolbarHelper Class "
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
    {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper "
    -> {HKLM...CLSID} = "CNavExtBho Class "
    \InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext "
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
    "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel "
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" [ "Synaptics, Inc."]
    "{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView "
    -> {HKLM...CLSID} = "SampleView "
    \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" [ "XSS"]
    "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu "
    -> {HKLM...CLSID} = "Acrobat Elements Context Menu "
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" [ "Adobe Systems Inc."]
    "{02040CD1-EF11-11D5-BC3F-0003473F5BF0}" = "HotShell Shell Extension "
    -> {HKLM...CLSID} = "HotShellExt Class "
    \InProcServer32\(Default) = "C:\Program Files\eFax Messenger Plus\hotshell.dll" [ "j2 Global Communications, Inc."]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
    -> {HKLM...CLSID} = "iTunes "
    \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler "
    -> {HKLM...CLSID} = "Microsoft Office Outlook "
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler "
    -> {HKLM...CLSID} = "Outlook File Icon Extension "
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{C55C499D-3518-44a1-998E-796AC5FC989D}" = "NetworkMagic "
    -> {HKLM...CLSID} = "My Shared Folders "
    \InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" [ "Pure Networks, Inc."]
    "{33F85093-44BB-4587-B25B-FFD05D5B9916}" = "NetworkMagic "
    -> {HKLM...CLSID} = "My Shared Folders "
    \InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" [ "Pure Networks, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook "
    -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook "
    \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
    <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5 "
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [ "Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
    -> {HKLM...CLSID} = "WPDShServiceObj Class "
    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
    <<!>> "System" = "kdcvs.exe" [null data]

    HKLM\System\CurrentControlSet\Control\Session Manager\
    <<!>> "BootExecute" = "autocheck autochk * "| "SsiEfr.e" [file not found]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxdev.dll" [ "Intel Corporation"]
    <<!>> WRNotifier\DLLName = "WRLogonNTF.dll" [ "Webroot Software, Inc."]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945} "
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "
    -> {HKLM...CLSID} = "Acrobat Elements Context Menu "
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" [ "Adobe Systems Inc."]
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
    -> {HKLM...CLSID} = "CContextScan Object "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
    HotShellExt\(Default) = "{02040CD1-EF11-11D5-BC3F-0003473F5BF0} "
    -> {HKLM...CLSID} = "HotShellExt Class "
    \InProcServer32\(Default) = "C:\Program Files\eFax Messenger Plus\hotshell.dll" [ "j2 Global Communications, Inc."]
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} "
    -> {HKLM...CLSID} = "IEContextMenu Class "
    \InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
    -> {HKLM...CLSID} = "CContextScan Object "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} "
    -> {HKLM...CLSID} = "IEContextMenu Class "
    \InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]


    Group Policies {policy setting}:
    --------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "DisableRegistryTools" = (REG_DWORD) hex:0x00000000
    {Prevent access to registry editing tools}

    HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

    "NoSplash" = (REG_DWORD) hex:0x00000001
    {unrecognized setting}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\aaa.Archives\CompaqRescue\Z.Folder\SetUp\Wallpaper\D.Cupid2.bmp "

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Owner\My Documents\aaa.Archives\CompaqRescue\Z.Folder\SetUp\Wallpaper\D.Cupid2.bmp "


    Startup items in "Owner" & "All Users" startup folders:
    -------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" [ "Adobe Systems Inc."]
    "BigFix" -> shortcut to: "C:\Program Files\BigFix\BigFix.exe /atstartup" [ "BigFix Inc."]
    "Dataviz Messenger" -> shortcut to: "C:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
    "eFax Tray Menu" -> shortcut to: "C:\Program Files\eFax Messenger Plus\HotTray.exe" [ "j2 Global Communications, Inc."]
    "HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" [ "Palm, Inc."]
    "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" [ "Hewlett-Packard Co."]
    "Iomega Backup Scheduler" -> shortcut to: "C:\Program Files\Iomega\Iomega Backup\dtsc.exe" [ "Iomega"]
    "Live Menu" -> shortcut to: "C:\Program Files\eFax Messenger Plus\Dllcmd32.exe /R /K C:\PROGRA~1\EFAXME~1\HsPfcW32.dll,JSPFCWSetHooking,1,0,0,0" [ "j2 Global Communications, Inc."]
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
    "Norton System Doctor" -> shortcut to: "C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE /startup" [ "Symantec Corporation"]
    "QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" [ "Intuit, Inc."]


    Enabled Scheduled Tasks:
    ------------------------

    "Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exe /task: "C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca" " [ "Symantec Corporation"]
    "Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO" [ "Symantec Corporation"]
    "Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [ "Symantec Corporation"]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    C:\WINDOWS\system32\ESPFSPI.DLL [ "Enigma Software "], 01 - 05
    %SystemRoot%\system32\mswsock.dll [MS], 06 - 31


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F} "
    -> {HKLM...CLSID} = "&Google "
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" [ "Google Inc."]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F} "
    -> {HKLM...CLSID} = "&Google "
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" [ "Google Inc."]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "
    -> {HKLM...CLSID} = "Norton AntiVirus "
    \InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
    "{47833539-D0C5-4125-9FA8-0819E2EAAC93} "
    -> {HKLM...CLSID} = "Adobe PDF "
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
    "{F5735C15-1FB2-41FE-BA12-242757E69DDE} "
    -> {HKLM...CLSID} = "ZeroBar "
    \InProcServer32\(Default) = "C:\Program Files\NetZero\toolbar.dll" [empty string]
    "{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} "
    -> {HKLM...CLSID} = "ZeroBar "
    \InProcServer32\(Default) = "C:\Program Files\NetZero\Toolbar.dll" [empty string]
    "{F2CF5485-4E02-4F68-819C-B92DE9277049} "
    -> {HKLM...CLSID} = "&Links "
    \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus "
    -> {HKLM...CLSID} = "Norton AntiVirus "
    \InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
    "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF "
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
    "{F5735C15-1FB2-41FE-BA12-242757E69DDE}" = (no title provided)
    -> {HKLM...CLSID} = "ZeroBar "
    \InProcServer32\(Default) = "C:\Program Files\NetZero\toolbar.dll" [empty string]
    "{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}" = (no title provided)
    -> {HKLM...CLSID} = "ZeroBar "
    \InProcServer32\(Default) = "C:\Program Files\NetZero\Toolbar.dll" [empty string]
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
    -> {HKLM...CLSID} = "&Google "
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" [ "Google Inc."]

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF "
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
    {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Real.com "
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research "
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console "
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "
    -> {HKCU...CLSID} = "Java Plug-in "
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06 "
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" [ "Sun Microsystems, Inc."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research "

    {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
    "ButtonText" = "AIM "
    "Exec" = "C:\Program Files\AIM\aim.exe" [ "America Online, Inc."]

    {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
    "ButtonText" = "Real.com "

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001 "
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger "
    "MenuText" = "Windows Messenger "
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Miscellaneous IE Hijack Points
    ------------------------------

    HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
    <<H>> "{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = (no title provided)
    -> {HKLM...CLSID} = "URLSearchHook Class "
    \InProcServer32\(Default) = "C:\Program Files\NZSearch\SearchEnh1.dll" [ "United Online, Inc."]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" [ "America Online, Inc."]
    Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, " "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" " [ "Symantec Corporation"]
    AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" [ "Anti-Malware Development a.s."]
    HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" { "C:\WINDOWS\System32\w3ssl.dll" [MS]}
    Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" [ "Intel Corporation"]
    Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" [ "Intel Corporation"]
    Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" [ "Intel Corporation "]
    iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" [ "Apple Computer, Inc."]
    Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" " [MS]
    Norton AntiVirus Auto-Protect Service, navapsvc, " "C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe" " [ "Symantec Corporation"]
    Norton AntiVirus Firewall Monitor Service, NPFMntor, " "C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe" " [ "Symantec Corporation"]
    Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE" [ "Symantec Corporation"]
    PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" [ "New Boundary Technologies, Inc."]
    Pure Networks Network Magic Service, nmservice, " "C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe" " [ "Pure Networks, Inc."]
    SAVScan, SAVScan, " "C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe" " [ "Symantec Corporation"]
    Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" [ "Symantec Corporation"]
    Symantec Event Manager, ccEvtMgr, " "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" " [ "Symantec Corporation"]
    Symantec Network Drivers Service, SNDSrvc, " "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" " [ "Symantec Corporation"]
    Symantec Settings Manager, ccSetMgr, " "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" " [ "Symantec Corporation"]
    Symantec SPBBCSvc, SPBBCSvc, " "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" " [ "Symantec Corporation"]
    Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" [ "Webroot Software, Inc."]
    Windows Defender Service, WinDefend, " "C:\Program Files\Windows Defender\MsMpEng.exe" " [MS]
    Windows Media Player Network Sharing Service, WMPNetworkSvc, "C:\Program Files\Windows Media Player\WMPNetwk.exe" [MS]
    WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" [ "Adobe Systems Incorporated."]
    HP Master Monitor\Driver = "HPBMMON.DLL" [ "Hewlett-Packard"]
    hpzlnt09\Driver = "hpzlnt09.dll" [ "HP"]
    hpzsnt09\Driver = "hpzsnt09.dll" [ "HP"]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


    ----------
    <<!>>: Suspicious data at a malware launch point.
    <<H>>: Suspicious data at a browser hijack point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 93 seconds, including 18 seconds for message boxes)


    Thanks for your help so far....I hope you can see what the cause is...

    Dave
     
    dolbus,
    #4
  6. 2006/11/25
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    I guess I need to figure out a way to make this bit of info more noticable...any suggestions?:p

    Anyway, nothing of suspicious nature in either the Panda scan or AVG. However, the Silent Runner scan did in fact pick something up which needs removal.

    So lets attack that and see how we fare.


    Please read ALL instructions carefully BEFORE proceeding.


    Please go to Add/Remove, and if found, uninstall the following:
    Enigma Software
    Spyware Nuker

    You can read about this company here and here. Yes the info is a bit old, but history tells us these types of companies rarely if ever change their colors.


    Download the Killbox from here and save it to the desktop.
    • Double-click the KillBox icon on your desktop to open it
    • Select "Delete on Reboot "
    • Then select "All files ".
    Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    C:\WINDOWS\system32\kdcvs.exe

    Return to Killbox
    • Go to the File menu, and choose "Paste from Clipboard ".
    • Click the red-and-white "Delete File" button.
    • Click "Yes" at the Delete on Reboot prompt.
    Do not reboot yet.


    Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{271518F8-11BC-49BE-986D-72A2FDC098F4}: NameServer = 85.255.114.90,85.255.112.92

    O17 - HKLM\System\CCS\Services\Tcpip\..\{360BDA84-314C-41B6-A35F-07622FA4BD8F}: NameServer = 85.255.114.90,85.255.112.92

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC23BB9-239F-4063-95C0-F1F197527156}: NameServer = 85.255.114.90,85.255.112.92

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5E8D5642-70AB-49B3-A0EE-B97801D0C8E6}: NameServer = 85.255.114.90,85.255.112.92

    O17 - HKLM\System\CCS\Services\Tcpip\..\{88A5018E-23F3-498C-B8CB-19EB8A3F8B54}: NameServer = 85.255.114.90,85.255.112.92

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A4A4CD76-2126-49DB-8671-C7EFE0BD1178}: NameServer = 85.255.114.90,85.255.112.92

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F99EAF2B-0B36-4712-B895-89845EDB5DBD}: NameServer = 85.255.114.90,85.255.112.92

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92

    Reboot the system, let me know if you're experiencing any problems and provide me a fresh HJT log file please.
     
    TeMerc,
    #5
  7. 2006/11/25
    dolbus

    dolbus Inactive Thread Starter

    Joined:
    2006/11/24
    Messages:
    15
    Likes Received:
    0
    Solved!!

    TeMerc,

    That seemed to do it...

    BTW Sorry about the posting of the logs in my previous two posts. I started to weed it out then forgot it.

    Here is the last HJT Log.

    Lastly, What is causing this? I think the problems popped up with the installation of IE 7.0, but it could be coincidence.
    I am an attorney and I want to help grap these bastards by the groin and sue them silly. The man hours I have lost alone just for the two hour scans for the AVG and Panda is enough for any monetary damage!! Any idea who this is?
    Enough of my rantings, here is the HJT

    Logfile of HijackThis v1.99.1
    Scan saved at 4:57:32 PM, on 11/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\eFax Messenger Plus\HotTray.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Iomega\Iomega Backup\dtsc.exe
    C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.east.cox.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [GC75-Manager-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe" -startup
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Pro\CAgent.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143601053068
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146100812312
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
    O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    Thanks again, Dave
     
    dolbus,
    #6
  8. 2006/11/25
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    That IP range which was in the 017 lines are the gang who host most of the malware crime rings. Because they are an off shore type of company, in a countr which has higher priorities, it's a long shot they will ever be taken down.

    There are some fairly powerful groups who are always working to try, FBI and others included.

    Their info is here:
    http://www.dnsstuff.com/tools/whois.ch?ip=85.255.112.92

    It's a never ending battle.

    It's also unlikely this happened due to IE 7 install, just coincidental.

    Your logs appear clear, and you're saying things appear to be back to normal, so thats a good thing, nice job.

    I notice you have alot of stuff running in the back ground. You may want to trim some of that stuff to gain a tick in some performance with your box.

    Here is an excellent site for that:
    AnswersThatWork
    Just go to the appropriate letter, and search for the process/exe, they will give good detailed info regarding it, we use it quite often. If you can't find it there, then use Google.

    We have 3 more things to do, mostly maintenance and then our recommendations:

    Empty the TIF (Temporary Internet Files)
    Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
    The app below will help with temp files.
    Index.dat Suite

    Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

    This would also be a good time to set a new system restore point for your machine.
    Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

    Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

    Here is a link which describes how security apps work with WIN XP machines.
    XP User Accts Security Apps Operation

    To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

    SpywareBlaster
    With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

    To avoid known malware infested sites from loading in IE install IESPY ADS.
    And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

    And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

    Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

    Links for tutorials for all the apps I mentioned can be found on my site as well.

    Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

    And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
    Calendar of Updates

    Subscribe to update alerts for all the above security apps here.

    You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
    TeMerc Test Box Forum

    Happy surfing!!
    Tom :D
     
    TeMerc,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...