1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Google Redirect Issue

Discussion in 'Malware and Virus Removal Archive' started by adamc, 2007/06/21.

  1. 2007/06/21
    adamc

    adamc Inactive Thread Starter

    Joined:
    2007/06/21
    Messages:
    4
    Likes Received:
    0
    Hey guys, I have tried cleaning this on my own, but it will not go away!

    Here is the log file...Thanks in advanced!



    Logfile of HijackThis v1.99.1
    Scan saved at 9:27:32 PM, on 21/06/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Shaw Secure\Common\FSM32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\PROGRA~1\MICROS~2\rapimgr.exe
    C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
    C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\Shaw Secure\Common\FSMA32.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\Program Files\Shaw Secure\Common\FSMB32.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Shaw Secure\Common\FCH32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
    C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
    C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
    C:\Program Files\Shaw Secure\FSPC\fspc.exe
    C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
    C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
    C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
    C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Adam Cote\Local Settings\Temporary Internet Files\Content.IE5\LAY6NS94\hijackthis_sfx[1].exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/1009/bl8.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/1009/bl7.asp
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168214256233
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168214815014
    O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{24872FAE-9D27-48F5-BA37-94D803022911}: NameServer = 85.255.114.110,85.255.112.170
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3813FD82-CCB0-4859-BE1D-81D44E66454B}: NameServer = 85.255.114.110,85.255.112.170
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8BAE34-F224-4055-8EEC-05D36547E0D9}: NameServer = 85.255.114.110,85.255.112.170
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
     
    adamc,
    #1
  2. 2007/06/22
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi and welcome :)

    Your internet in general acting wonky as well?
    Your LSP (layered Service Providers) are corrupted as result of improperly uninstalled "Pure Insight Content Monitor ".
    The dll was deleted but registry entries for it was not.

    Also have DNSChanger trojan.
    This adds malware DNS Server entries so instead of you getting http requests from your ISP you get them from malware domail.
    Normally just end up with junky search engine pages.

    Let's try & get both issues.

    Download and save http://www.cexx.org/LSPFix.exe
    Double click LSPFix.exe
    winsflt.dll should be listed at right.
    You just need to click the finish button and reboot.
    Don't move any other files listed!

    Once restarted.....

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts.
    If Shaw-Secure asks about "download.exe" needing internet access. Allow it.

    You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts.

    Start Hijackthis
    Run system scan and check:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{24872FAE-9D27-48F5-BA37-94D803022911}: NameServer = 85.255.114.110,85.255.112.170
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3813FD82-CCB0-4859-BE1D-81D44E66454B}: NameServer = 85.255.114.110,85.255.112.170
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8BAE34-F224-4055-8EEC-05D36547E0D9}: NameServer = 85.255.114.110,85.255.112.170
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170


    Close ALL open windows except Hijackthis and click "fix checked "

    Exit Hijackthis.

    Click Start > Connect to > Show all connections.
    Right click on your default connection, usually local area connection for cable and dsl.
    Left click on Properties.
    Click the Networking tab.
    Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says "Obtain DNS servers automatically ".
    Press OK twice to get out of the properties screen and reboot if it asks. (That option might not be available on some systems).

    Next:

    Click Start > Run type cmd and hit OK.
    Type ipconfig /flushdns then hit enter, (Note: there is a space between ipconfig and /flushdns).
    Type exit hit enter


    Open the your root folder (usualy c) c:\fixwareout\report.txt and
    post it in reply here along with a new hijackthis log.

    Let me know how things are running.

    Thanks :)
     
    Blender,
    #2


  3. to hide this advert.

  4. 2007/06/22
    adamc

    adamc Inactive Thread Starter

    Joined:
    2007/06/21
    Messages:
    4
    Likes Received:
    0
    Thanks so much for the help! This is the report from fixwareout:


    Fixwareout Last edited 6/20/2007
    Post this report in the forums please
    ...
    »»»»»Prerun check
    HKLM\SOFTWARE\~\Winlogon\ "System "= "kdpmo.exe "

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "nameserver "= "85.255.114.110" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{24872FAE-9D27-48F5-BA37-94D803022911}
    "nameserver "= "85.255.114.110,85.255.112.170" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3813FD82-CCB0-4859-BE1D-81D44E66454B}
    "nameserver "= "85.255.114.110,85.255.112.170" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4A8BAE34-F224-4055-8EEC-05D36547E0D9}
    "nameserver "= "85.255.114.110,85.255.112.170" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{208ED930-BF27-4544-AFF3-8030C3F59F24}
    "DhcpNameServer "= "85.255.114.110,85.255.112.170" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4A8BAE34-F224-4055-8EEC-05D36547E0D9}
    "DhcpNameServer "= "85.255.114.110,85.255.112.170" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    »»»»» Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system "=" "
    ....
    ....
    »»»»» Misc files.
    ....
    »»»»» Checking for older varients.
    ....

    Search five digit cs, dm, kd, jb, other, files.
    The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


    Click browse, find the file then click submit.
    http://www.virustotal.com/flash/index_en.html
    Or http://virusscan.jotti.org/

    »»»»» Other
    C:\WINDOWS\Temp\kdpmo.ren 66363 04/08/2004

    »»»»» Current runs
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
    "HotKeysCmds "= "C:\\WINDOWS\\system32\\hkcmd.exe "
    "Smapp "= "C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe "
    "DrvLsnr "= "C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe "
    "AutoLogon "=" "
    "SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\" "
    "F-Secure Manager "= "\ "C:\\Program Files\\Shaw Secure\\Common\\FSM32.EXE\" /splash "
    "F-Secure TNB "= "\ "C:\\Program Files\\Shaw Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW "
    "F-Secure Startup Wizard "= "\ "C:\\Program Files\\Shaw Secure\\FSGUI\\FSSW.EXE\" /reboot "
    "News Service "= "\ "C:\\Program Files\\Shaw Secure\\FSGUI\\ispnews.exe\" "
    "HP Software Update "= "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "
    "ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
    "H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\" "
    ....
    Hosts file was reset, If you use a custom hosts file please replace it
    »»»»» End report »»»»»


    I will post the log from hijackthis in a second.....
     
    adamc,
    #3
  5. 2007/06/22
    adamc

    adamc Inactive Thread Starter

    Joined:
    2007/06/21
    Messages:
    4
    Likes Received:
    0
    And here is the log file from hijackthis.....


    Logfile of HijackThis v1.99.1
    Scan saved at 6:22:58 PM, on 22/06/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
    C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\Shaw Secure\Common\FSMA32.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\Program Files\Shaw Secure\Common\FSMB32.EXE
    C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
    C:\Program Files\Shaw Secure\Common\FCH32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
    C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
    C:\Program Files\Shaw Secure\FSPC\fspc.exe
    C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Shaw Secure\Common\FSM32.EXE
    C:\Program Files\Shaw Secure\FSGUI\ispnews.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MICROS~2\rapimgr.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/1009/bl8.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/1009/bl7.asp
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168214256233
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168214815014
    O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
     
    adamc,
    #4
  6. 2007/06/22
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Logs look good.
    You can delete FixWareout.exe and LSPFix.exe.

    Please also do the following:

    After a fresh reboot (in case some software has to finish updates) click start> run> type cleanmgr and hit enter.
    Cleaning drive c:\...
    Have checked ONLY:

    Temporary files
    Temporary Internet files
    Recycle bin

    Hit OK to clean up.

    Once done....I want to double check with online scan we don't have something else dormant laying around.

    Using Internet Explorer please do an online scan with Kaspersky Online Scanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        • Extended (If available otherwise Standard)
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK
    • Now under select a target to scan select My Computer
    • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save report button.
    • Call it Kaspersky.txt
    • Expand the arrow beside "file types" and save as .txt file.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.


    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

    *Note2
    If you have Internet Explorer 7 installed:
    If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
    Page will reload and you should be able to carry on scan.

    thanks :)
     
    Blender,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...