Home Page and Google Re-directed

I regularly run and update Ad-Aware, Spybot S&D, CCleaner and Avast Antivirus, but none of these seem to be able to sort out an annoying problem. Everytime I log onto my Home Page in IE6, I am redirected to a page recommending me to search for ****, shopping and all sorts of ****. It seems to be a different page each time I log on, e.g. the latest being xxx.jupk.com. The same happens when I try to get on to Google. I have used HijackThis, and I cannot see anything untoward in the log.
Any suggestions would be most appreciated.
Thanks, Mike.

 

Hello and welcome to WindowsBBS Forums.

Can you please post the log from HJT and please be sure it is installed as instructed below. We'll work from there.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible

 

Logfile of HijackThis v1.99.1
Scan saved at 17:13:29, on 01/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Mike Hughes\Application Data\Mozilla\Profiles\default\0uk52gbt.slt\prefs.js)
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [asrupdate.exe] C:\WINDOWS\System32\asrupdate.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{05F38098-56B1-4549-94DF-2139940940D5}: NameServer = 85.255.116.171 85.255.112.228
O17 - HKLM\System\CS1\Services\Tcpip\..\{05F38098-56B1-4549-94DF-2139940940D5}: NameServer = 85.255.116.171 85.255.112.228
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.


Lets run a WareOut tool, to eliminate or find the infection.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleeping Computing

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.
If you get a file output similar to below:

Go here and run the fix appropriate to your version of Windows:

http://www.tech-forums.net/computer/topic/29806.html

Then re-run Fixwareout please, thanks.


Then Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Do not reboot yet.


Open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O4 - HKCU\..\Run: [asrupdate.exe] C:\WINDOWS\System32\asrupdate.exe


O17 - HKLM\System\CCS\Services\Tcpip\..\{05F38098-56B1-4549-94DF-2139940940D5}: NameServer = 85.255.116.171 85.255.112.228

O17 - HKLM\System\CS1\Services\Tcpip\..\{05F38098-56B1-4549-94DF-2139940940D5}: NameServer = 85.255.116.171 85.255.112.228


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\System32\asrupdate.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please along with the ComboFix log.

 

Thanks very much!! The problem has now been fixed. I have posted the HijackThis and ComboFix files below:
Logfile of HijackThis v1.99.1
Scan saved at 18:54:42, on 02/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Mike Hughes\Application Data\Mozilla\Profiles\default\0uk52gbt.slt\prefs.js)
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Mike Hughes\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-11-02 to 2006-12-02 ))))))))))))))))))))))))))))))))))


2006-11-30 19:35 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2006-11-30 19:29 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2006-11-30 15:41 <DIR> d-------- C:\Program Files\Roguescanfix
2006-11-30 15:38 <DIR> d-------- C:\WINDOWS\temp
2006-11-30 15:16 1,716 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-29 15:32 <DIR> dr-h----- C:\Documents and Settings\Mike Hughes\Recent
2006-11-28 20:59 51,721 --a------ C:\WINDOWS\system32\csqjq.exe
2006-11-25 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-11-24 22:55 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-11-24 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-24 21:29 <DIR> d-------- C:\Program Files\Photoshop CS2
2006-11-22 18:01 <DIR> d-------- C:\Gigposters
2006-11-21 14:45 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2006-11-21 14:34 <DIR> d-------- C:\WINDOWS\system32\appmgmt


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-02 18:54 -------- d-------- C:\Program Files\hijackthis
2006-12-01 19:00 -------- d-------- C:\Program Files\AntiVirus Spybot etc Installation
2006-11-30 18:51 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-30 16:25 -------- d---s---- C:\Documents and Settings\Mike Hughes\Application Data\Microsoft
2006-11-30 15:51 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-29 15:44 -------- d-------- C:\Documents and Settings\Mike Hughes\Application Data\Adobe
2006-11-29 02:01 -------- d-------- C:\Program Files\RegScrubXP
2006-11-27 18:43 -------- d-------- C:\Program Files\All Concert Posters
2006-11-25 00:17 -------- d-------- C:\Program Files\Adobe
2006-11-25 00:16 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-24 22:55 -------- d-------- C:\Program Files\Common Files
2006-11-21 14:45 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-21 14:37 -------- d-------- C:\Program Files\Microsoft Office
2006-11-21 14:37 -------- d-------- C:\Program Files\Common Files\System
2006-10-24 13:29 -------- d-------- C:\Documents and Settings\Mike Hughes\Application Data\Mozilla
2006-10-24 13:12 -------- d-------- C:\Program Files\Viewpoint
2006-10-24 13:11 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-24 13:11 -------- d-------- C:\Program Files\Common Files\Real
2006-10-24 13:09 90832 --a------ C:\WINDOWS\NSUninst.exe
2006-10-24 13:09 -------- d-------- C:\Program Files\Netscape
2006-10-24 12:59 -------- d-------- C:\Program Files\Windows Media Player
2006-10-14 13:56 -------- d-------- C:\Documents and Settings\Mike Hughes\Application Data\Apple Computer
2006-10-14 13:39 -------- d-------- C:\Program Files\QuickTime
2006-10-14 13:38 -------- d-------- C:\Program Files\Apple Software Update
2006-10-13 14:24 -------- d-------- C:\Program Files\ANAGRAM_MAKER
2006-10-12 20:19 -------- d-------- C:\Program Files\Internet Explorer
2006-10-12 20:18 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-12 17:49 -------- d-------- C:\Program Files\DeskProto 4.1 Trial
2006-10-12 16:06 -------- d-------- C:\Program Files\Anim-FX
2006-10-12 15:33 -------- d-------- C:\Program Files\Grisoft
2006-10-04 10:18 14566 --a------ C:\WINDOWS\system32\drivers\cdntran.sys
2006-10-02 17:14 -------- d-------- C:\Program Files\DolphinCadCam
2006-10-01 14:20 622746 --a------ C:\Program Files\Common Files\tmp1.exe
2006-09-25 15:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 15:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "Eudora's Shell Extension "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice "=dword:00000000
"NoSizeChoice "=dword:00000000
"NoDispScrSavPage "=dword:00000000
"NoDispCPL "=dword:00000000
"NoVisualStyleChoice "=dword:00000000
"NoDispSettingsPage "=dword:00000000
"NoDispAppearancePage "=dword:00000000
"NoDispBackgroundPage "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"LinkResolveIgnoreLinkInfo "=dword:00000000
"NoActiveDesktop "=dword:00000000
"NoSaveSettings "=dword:00000000
"ClassicShell "=dword:00000000
"NoThemesTab "=dword:00000000
"ForceActiveDesktopOn "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001
"DisableTaskMgr "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo "=dword:00000000
"NoResolveSearch "=dword:00000001
"NoActiveDesktopChanges "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlPanel]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "per "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\per.exe internat.dll,LoadKeyboardProfile "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Advanced WindowsCare.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\AwcUpdate.job

Completion time: 06-12-02 19:03:43.51
C:\ComboFix.txt ... 06-12-02 19:03
C:\ComboFix2.txt ... 06-12-02 19:00
C:\ComboFix3.txt ... 06-12-02 18:19

 

Looks like there are a couple of things to remove. Did the FixWareout tool display any results? Let me know, there looks to be one file related to it, the first one listed below for killing.

Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\csqjq.exe
C:\WINDOWS\system32\appmgmt

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white "Delete File" button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending operations prompt.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Mike Hughes\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-11-04 to 2006-12-04 ))))))))))))))))))))))))))))))))))


2006-12-02 22:22 <DIR> d-------- C:\!KillBox
2006-11-30 19:35 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2006-11-30 19:29 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2006-11-30 15:41 <DIR> d-------- C:\Program Files\Roguescanfix
2006-11-30 15:38 <DIR> d-------- C:\WINDOWS\temp
2006-11-30 15:16 1,716 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-29 15:32 <DIR> dr-h----- C:\Documents and Settings\Mike Hughes\Recent
2006-11-25 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-11-24 22:55 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-11-24 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-24 21:29 <DIR> d-------- C:\Program Files\Photoshop CS2
2006-11-22 18:01 <DIR> d-------- C:\Gigposters
2006-11-21 14:45 <DIR> d-------- C:\Program Files\Microsoft ActiveSync


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-04 16:28 -------- d-------- C:\Program Files\AntiVirus Spybot etc Installation
2006-12-04 00:59 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-02 18:54 -------- d-------- C:\Program Files\hijackthis
2006-11-30 18:51 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-30 16:25 -------- d---s---- C:\Documents and Settings\Mike Hughes\Application Data\Microsoft
2006-11-29 15:44 -------- d-------- C:\Documents and Settings\Mike Hughes\Application Data\Adobe
2006-11-29 02:01 -------- d-------- C:\Program Files\RegScrubXP
2006-11-27 18:43 -------- d-------- C:\Program Files\All Concert Posters
2006-11-25 00:17 -------- d-------- C:\Program Files\Adobe
2006-11-25 00:16 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-24 22:55 -------- d-------- C:\Program Files\Common Files
2006-11-21 14:45 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-21 14:37 -------- d-------- C:\Program Files\Microsoft Office
2006-11-21 14:37 -------- d-------- C:\Program Files\Common Files\System
2006-10-24 13:29 -------- d-------- C:\Documents and Settings\Mike Hughes\Application Data\Mozilla
2006-10-24 13:12 -------- d-------- C:\Program Files\Viewpoint
2006-10-24 13:11 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-24 13:11 -------- d-------- C:\Program Files\Common Files\Real
2006-10-24 13:09 90832 --a------ C:\WINDOWS\NSUninst.exe
2006-10-24 13:09 -------- d-------- C:\Program Files\Netscape
2006-10-24 12:59 -------- d-------- C:\Program Files\Windows Media Player
2006-10-14 13:56 -------- d-------- C:\Documents and Settings\Mike Hughes\Application Data\Apple Computer
2006-10-14 13:39 -------- d-------- C:\Program Files\QuickTime
2006-10-14 13:38 -------- d-------- C:\Program Files\Apple Software Update
2006-10-13 14:24 -------- d-------- C:\Program Files\ANAGRAM_MAKER
2006-10-12 20:19 -------- d-------- C:\Program Files\Internet Explorer
2006-10-12 20:18 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-12 17:49 -------- d-------- C:\Program Files\DeskProto 4.1 Trial
2006-10-12 16:06 -------- d-------- C:\Program Files\Anim-FX
2006-10-12 15:33 -------- d-------- C:\Program Files\Grisoft
2006-10-04 10:18 14566 --a------ C:\WINDOWS\system32\drivers\cdntran.sys
2006-10-01 14:20 622746 --a------ C:\Program Files\Common Files\tmp1.exe
2006-09-25 15:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 15:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "Eudora's Shell Extension "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice "=dword:00000000
"NoSizeChoice "=dword:00000000
"NoDispScrSavPage "=dword:00000000
"NoDispCPL "=dword:00000000
"NoVisualStyleChoice "=dword:00000000
"NoDispSettingsPage "=dword:00000000
"NoDispAppearancePage "=dword:00000000
"NoDispBackgroundPage "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"LinkResolveIgnoreLinkInfo "=dword:00000000
"NoActiveDesktop "=dword:00000000
"NoSaveSettings "=dword:00000000
"ClassicShell "=dword:00000000
"NoThemesTab "=dword:00000000
"ForceActiveDesktopOn "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001
"DisableTaskMgr "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo "=dword:00000000
"NoResolveSearch "=dword:00000001
"NoActiveDesktopChanges "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlPanel]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "per "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\per.exe internat.dll,LoadKeyboardProfile "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Advanced WindowsCare.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\AwcUpdate.job

Completion time: 06-12-04 16:29:36.98
C:\ComboFix.txt ... 06-12-04 16:29
C:\ComboFix2.txt ... 06-12-02 19:03
C:\ComboFix3.txt ... 06-12-02 19:00
Logfile of HijackThis v1.99.1
Scan saved at 16:30:25, on 04/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IObit\Advanced WindowsCare V2\Awc.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Mike Hughes\Application Data\Mozilla\Profiles\default\0uk52gbt.slt\prefs.js)
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

OK, all the above looks to be clear, how is the box performing at this point, any more problematic symptoms? Let me know.

 

Everything is fine!! Thank you very much for your time!! Mike.

 

We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom


Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.