Google Redirecting

Please verify that the script is named correctly ........ it must be CFScript.txt
Did you try disabling your realtime protections?

 

Yes

Yes and Yes. It took me about 4 tries to run it yesterday

 

It worked

It finally worked. I have sent the file and since you asked last time, here is the log file and a new HJT:

ComboFix 07-11-19.4C - kshields 2007-11-30 13:29:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.945 [GMT -6:00]
Running from: C:\Documents and Settings\kshields\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kshields\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\sdfixwcs.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\attrib.dll
C:\WINDOWS\system32\dumprep.dll
C:\WINDOWS\system32\igxpgd32.cpl
C:\WINDOWS\system32\sdfixwcs.dll
C:\WINDOWS\system32\tlntadmn.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-28 14:55 <DIR> d-------- C:\Program Files\Common Files\Avery
2007-11-28 14:55 <DIR> d-------- C:\Program Files\Avery Wizard 3.1
2007-11-27 09:01 20,480 --a------ C:\WINDOWS\system32\drivers\flpydisk.sys
2007-11-27 09:01 8,192 --a------ C:\WINDOWS\system32\drivers\changer.sys
2007-11-26 08:41 20,480 --a------ C:\WINDOWS\system32\drivers\SET37.tmp
2007-11-24 16:35 <DIR> d-------- C:\Deckard
2007-11-20 15:52 <DIR> d-------- C:\Documents and Settings\kshields\DoctorWeb
2007-11-20 15:47 <DIR> d-------- C:\Documents and Settings\kshields\SecurityScans
2007-11-20 15:46 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-17 18:04 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-17 18:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-17 16:51 <DIR> d-------- C:\Program Files\BillP Studios
2007-11-17 16:51 <DIR> d-------- C:\Documents and Settings\kshields\Application Data\WinPatrol
2007-11-17 16:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-17 16:48 <DIR> d-------- C:\Documents and Settings\kshields\Application Data\AVG7
2007-11-17 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-17 01:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 01:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 00:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 15:24 <DIR> d-------- C:\HJT
2007-11-15 10:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-22 07:39 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-18 13:30 <DIR> d-------- C:\Documents and Settings\kshields\Application Data\Business Objects
2007-10-18 13:03 <DIR> d-------- C:\Program Files\Business Objects
2007-10-18 12:55 <DIR> d-------- C:\Program Files\CurtisDataPro
2007-10-17 12:54 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-17 12:54 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-17 12:54 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-10-17 12:54 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-17 12:54 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-17 12:54 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-17 12:54 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-17 12:54 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-17 12:54 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 12:21 <DIR> d-------- C:\VundoFix Backups
2007-10-10 09:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-10 09:22 <DIR> d-------- C:\Documents and Settings\kshields.GVMG-61476\Application Data\Grisoft
2007-10-10 09:03 <DIR> d-------- C:\Documents and Settings\kshields\Application Data\Grisoft
2007-10-10 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-10 08:56 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-10 08:55 <DIR> d-------- C:\Spybot - Search & Destroy
2007-10-10 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-09 18:13 <DIR> d-------- C:\Documents and Settings\kshields\Bluetooth Software
2007-10-09 09:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-09 09:05 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-09 09:05 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-09 09:05 <DIR> d-------- C:\edc88193da4eb0171734ee7b1099
2007-10-09 09:03 215,552 --a--c--- C:\WINDOWS\system32\dllcache\SET72.tmp
2007-10-09 09:03 193,024 --a--c--- C:\WINDOWS\system32\dllcache\SET71.tmp
2007-10-09 08:54 <DIR> d-------- C:\Documents and Settings\kshields\Application Data\OfficeUpdate12
2007-10-09 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-08 15:45 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 15:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 20:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 20:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-01 22:27 281,600 ----a-w C:\WINDOWS\system32\drivers\ADIHdAud.sys
2007-09-17 22:40 524,288 ----a-w C:\WINDOWS\opuc.dll
2007-09-05 01:04 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 23:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 23:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 23:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 23:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 23:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 23:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 23:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2006-07-25 00:29 1,705,216 ----a-w C:\Program Files\Common Files\SAExcel.dll
.

 

Combofix log file pt. 2

((((((((((((((((((((((((((((( snapshot_2007-11-29_ 9.05.36.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-30 19:32:13 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_978.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX "= "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 06:12]
"AccelerometerSysTrayApplet "= "C:\WINDOWS\system32\AccelerometerSt.exe" [2007-01-24 13:28]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 23:47]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 10:34]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 10:34]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 10:33]
"Mouse Suite 98 Daemon "= "ICO.EXE" [2003-11-20 13:08 C:\WINDOWS\system32\ico.exe]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 16:38]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 18:49]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 16:36]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-17 16:48]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-17 16:48]

C:\Documents and Settings\kshields\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 14:14:00]
EBSCO Industries, Inc. EBSCO VPN Client.lnk - C:\Program Files\EBSCO VPN Client\vpngui.exe [2007-09-05 11:24:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1 "= musrmgr.exe
"2 "= user manager.exe
"3 "= usrmgr.exe
"4 "= USRMGR.exe
"5 "= yahoomessenger.exe
C:\WINDOWS\system32\NavLogon.dll 2007-03-14 18:49 43712 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script "=\\ebsco.com\SysVol\ebsco.com\scripts\SetDefaultAccess.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164127803-1809399719-1542849698-26035\Scripts\Logon\0\0]
"Script "=\\ebsco.com\SysVol\ebsco.com\scripts\SetDefaultAccess.cmd

R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 SWIHPWMI;SWIHPWMI;C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 HP24X;HP PC Card Smart Card Reader;C:\WINDOWS\system32\DRIVERS\HP24X.sys
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 13:32:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 13:33:40 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-29 09:06
C:\ComboFix3.txt ... 2007-10-10 12:28
.
--- E O F ---

 

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:38, on 2007-11-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\EBSCO VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebsco.com/intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: EBSCO Industries, Inc. EBSCO VPN Client.lnk = C:\Program Files\EBSCO VPN Client\vpngui.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} (Bo6bootstrap Control) - http://datapro65.curtiscirc.com/wiasp/distribution/install.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188952783593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0E} (ZaboCheckAndRunControl Class) - http://datapro65.curtiscirc.com/wiasp/distribution/ZaboIEen.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ebsco.com
O17 - HKLM\Software\..\Telephony: DomainName = ebsco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{86271394-07EF-496B-8121-0BA1B7CA1CD6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F536D696-C888-486B-AEB1-BD0E3D2D84EB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ebsco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ebsco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: aawservice - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EBSCO VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10203 bytes

 

Logs look good. Has there been any change in behavior?

Please do a search of the drive for the following files and let me know if found. Make sure you are able to view hidden files.

autoconv.dll
csrss.dll
defrag.dll
dpvsetup.dll
dxdiag.dll
fsrremos.dll
krnl386.dll
nlsfunc.dll
reset.dll
rundll32.dll
spupdsvc.dll
tlntsess.dll
tracert6.dll

 

SOn of a....

WHile there are no .dll's for any of the above, each one has a .exe on my drive. The problem was gone for both my laptop and PC until last night, when both computers are now not going back to previous pages, but trying to go to an ad.server and I have to hit back multiple times. I don't know what to do! I have a firewall, i do everything I should. I don't go to websites I haven't gone to for years and years and never had a previous problem.

 

Good that those dlls aren't present. I'll have to double check to be sure, but I believe there should be an exe for each.

Did you knowingly set your computer to use Open DNS? If not, disable your internet connection and close all open windows. Scan again with HijackThis and fix the following entries. If Winpatrol alerts you to changes, allow them.

O17 - HKLM\System\CCS\Services\Tcpip\..\{86271394-07EF-496B-8121-0BA1B7CA1CD6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F536D696-C888-486B-AEB1-BD0E3D2D84EB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Reboot and see if the behavior persists. Create and post a fresh HijackThis log.

 

Not sure

I know it is supposed to be set to automatically find DNS settings. That is mandated by corporate IT. AVG did find a trojan and attrib.dll. It deleted and quaruntined. Still want me to do HJT?

 

Yes, do the HJT instructions.

 

Seems OK

Seems OK, I will post an HJT log of my desktop that also has the problem again shortly. Here is the HJT post what I was instructed to do.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08, on 2007-12-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\EBSCO VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebsco.com/intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: EBSCO Industries, Inc. EBSCO VPN Client.lnk = C:\Program Files\EBSCO VPN Client\vpngui.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} (Bo6bootstrap Control) - http://datapro65.curtiscirc.com/wiasp/distribution/install.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188952783593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0E} (ZaboCheckAndRunControl Class) - http://datapro65.curtiscirc.com/wiasp/distribution/ZaboIEen.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ebsco.com
O17 - HKLM\Software\..\Telephony: DomainName = ebsco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ebsco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ebsco.com
O23 - Service: aawservice - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EBSCO VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9609 bytes

 

argh

I was wrong, problem persists. AVG virus shield keeps finding a trojan in Systems VOlume, or something like that, its called restore and then a b bunch of numbers and letters. I heal it, it says it healed, but it keeps reoccurring. Yet, when I do an AVG virus scan, not threat is found.

 

That's not a problem. It's past System Restore points which we can clear. Have the other symptoms been put to rest?

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

 

still persistent

Problem with back button in IE still exists.

 

Please post a fresh dss log and be sure to let me know which machine it's from.

 

Here ya go

Here is the deckards main.txt file and extra.txt file:

Deckard's System Scanner v20071014.68
Run by kshields on 2007-12-02 20:12:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-12-03 02:12:16 UTC - RP105 - Deckard's System Scanner Restore Point
1: 2007-12-03 01:09:56 UTC - RP104 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as kshields.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12, on 2007-12-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\EBSCO VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\kshields\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\kshields.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebsco.com/intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: EBSCO Industries, Inc. EBSCO VPN Client.lnk = C:\Program Files\EBSCO VPN Client\vpngui.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} (Bo6bootstrap Control) - http://datapro65.curtiscirc.com/wiasp/distribution/install.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188952783593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0E} (ZaboCheckAndRunControl Class) - http://datapro65.curtiscirc.com/wiasp/distribution/ZaboIEen.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ebsco.com
O17 - HKLM\Software\..\Telephony: DomainName = ebsco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ebsco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ebsco.com
O23 - Service: aawservice - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EBSCO VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9478 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071117-005318-616 O2 - BHO: attrib - {7226429B-3AFD-452B-8DED-77563EFAF778} - C:\WINDOWS\system32\attrib.dll
backup-20071117-005318-858 O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
backup-20071201-200210-228 O17 - HKLM\System\CCS\Services\Tcpip\..\{F536D696-C888-486B-AEB1-BD0E3D2D84EB}: NameServer = 208.67.220.220,208.67.222.222
backup-20071201-200210-438 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20071201-200210-623 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20071201-200210-917 O17 - HKLM\System\CCS\Services\Tcpip\..\{86271394-07EF-496B-8121-0BA1B7CA1CD6}: NameServer = 208.67.220.220,208.67.222.222

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\kshields\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Agere Systems HDA Modem
Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_103C1378&REV_1002\4&27A72BC6&0&0101
Manufacturer: Agere
Name: Agere Systems HDA Modem
PNP Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_103C1378&REV_1002\4&27A72BC6&0&0101
Service: Modem

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Files created between 2007-11-02 and 2007-12-02 -----------------------------

2007-11-30 13:34:02 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-11-28 14:55:47 0 d-------- C:\Program Files\Common Files\Avery
2007-11-28 14:55:45 0 d-------- C:\Program Files\Avery Wizard 3.1
2007-11-20 15:52:32 0 d-------- C:\Documents and Settings\kshields\DoctorWeb
2007-11-20 15:47:06 0 d-------- C:\Documents and Settings\kshields\SecurityScans
2007-11-20 15:46:33 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-17 18:04:10 0 d-------- C:\Program Files\SpywareGuard
2007-11-17 18:01:40 0 d-------- C:\Program Files\SpywareBlaster
2007-11-17 17:13:30 0 dr-h----- C:\$VAULT$.AVG
2007-11-17 16:51:09 0 d-------- C:\Documents and Settings\kshields\Application Data\WinPatrol
2007-11-17 16:51:03 0 d-------- C:\Program Files\BillP Studios
2007-11-17 16:48:43 0 d-------- C:\Documents and Settings\kshields\Application Data\AVG7
2007-11-17 16:48:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-17 16:48:23 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-17 01:33:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 01:33:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 00:51:47 0 d-------- C:\Program Files\Trend Micro
2007-11-16 15:24:39 0 d-------- C:\HJT
2007-11-15 12:01:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-11-15 10:50:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-15 10:40:10 0 d--h----- C:\Documents and Settings\dricker\Templates
2007-11-15 10:40:10 0 dr------- C:\Documents and Settings\dricker\Start Menu
2007-11-15 10:40:10 0 dr-h----- C:\Documents and Settings\dricker\SendTo
2007-11-15 10:40:10 0 d--h----- C:\Documents and Settings\dricker\Recent
2007-11-15 10:40:10 0 d--h----- C:\Documents and Settings\dricker\PrintHood
2007-11-15 10:40:10 225280 --ah----- C:\Documents and Settings\dricker\NTUSER.DAT
2007-11-15 10:40:10 0 d--h----- C:\Documents and Settings\dricker\NetHood
2007-11-15 10:40:10 0 d-------- C:\Documents and Settings\dricker\My Documents
2007-11-15 10:40:10 0 dr-h----- C:\Documents and Settings\dricker\Local Settings
2007-11-15 10:40:10 0 d-------- C:\Documents and Settings\dricker\Favorites
2007-11-15 10:40:10 0 d-------- C:\Documents and Settings\dricker\Desktop
2007-11-15 10:40:10 0 d---s---- C:\Documents and Settings\dricker\Cookies
2007-11-15 10:40:10 0 dr-h----- C:\Documents and Settings\dricker\Application Data
2007-11-15 10:40:10 0 d---s---- C:\Documents and Settings\dricker\Application Data\Microsoft


-- Find3M Report ---------------------------------------------------------------

2007-11-28 14:57:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-28 14:55:47 0 d-------- C:\Program Files\Common Files
2007-11-28 14:54:50 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-06 09:34:21 0 --a------ C:\WINDOWS\system32\mscorews.dll
2007-10-22 07:39:40 0 d-------- C:\Program Files\MSXML 4.0
2007-10-18 13:30:01 0 d-------- C:\Documents and Settings\kshields\Application Data\Business Objects
2007-10-18 13:03:14 0 d-------- C:\Program Files\Business Objects
2007-10-18 12:55:38 0 d-------- C:\Program Files\CurtisDataPro
2007-10-10 09:03:19 0 d-------- C:\Documents and Settings\kshields\Application Data\Grisoft
2007-10-09 09:06:16 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-09 08:56:51 0 d-------- C:\Documents and Settings\kshields\Application Data\OfficeUpdate12
2007-10-08 15:45:53 0 d-------- C:\Program Files\Lavasoft
2007-10-08 15:45:19 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 14:12:15 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-09-19 09:18:27 13049 --a------ C:\Documents and Settings\kshields\Application Data\Comma Separated Values (Windows).CAL
2007-09-17 16:40:56 524288 --a------ C:\WINDOWS\opuc.dll <Not Verified; Microsoft Corporation; 2007 Microsoft Office system>
2007-09-05 11:25:27 8 --a------ C:\WINDOWS\system32\success
2007-09-04 16:02:42 62 --ahs---- C:\Documents and Settings\kshields\Application Data\desktop.ini
2007-09-04 03:14:54 0 -rahs---- C:\MSDOS.SYS
2007-09-04 03:14:54 0 -rahs---- C:\IO.SYS
2007-09-04 03:14:54 0 --a------ C:\CONFIG.SYS
2007-09-04 03:14:54 0 --a------ C:\AUTOEXEC.BAT
2007-09-04 03:12:08 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX "= "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 06:12]
"AccelerometerSysTrayApplet "= "C:\WINDOWS\system32\AccelerometerSt.exe" [2007-01-24 01:28]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 11:47]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 10:34]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 10:34]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 10:33]
"Mouse Suite 98 Daemon "= "ICO.EXE" [2003-11-20 01:08 C:\WINDOWS\system32\ico.exe]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 04:38]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 06:49]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 06:51]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 04:36]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-17 04:48]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00]

C:\Documents and Settings\kshields\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 7:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 2:14:00 PM]
EBSCO Industries, Inc. EBSCO VPN Client.lnk - C:\Program Files\EBSCO VPN Client\vpngui.exe [2007-09-05 11:24:21 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1 "=musrmgr.exe
"2 "=user manager.exe
"3 "=usrmgr.exe
"4 "=USRMGR.exe
"5 "=yahoomessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script "=\\ebsco.com\SysVol\ebsco.com\scripts\SetDefaultAccess.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164127803-1809399719-1542849698-26035\Scripts\Logon\0\0]
"Script "=\\ebsco.com\SysVol\ebsco.com\scripts\SetDefaultAccess.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7535 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-02 20:22:13 ------------

 

extra

Here is the extra file. All this is for my laptop. I haven't gotten to the desktop yet.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz
CPU 1: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 1527.23 MiB / 900.34 MiB
Pagefile Memory (total/avail): 3422.45 MiB / 2867.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.02 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 68.07 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - TOSHIBA MK8037GSX - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.503 v7.5.503 (Grisoft)
AV: Symantec AntiVirus Corporate Edition v10.1.6.6000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\kshields\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GVMG-61476
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\kshields
LOGONSERVER=\\SPONTINI
NUMBER_OF_PROCESSORS=2
OPENRDA_INI=C:\Documents and Settings\All Users\Application Data\QuickFill\openrda.ini
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\kshields\LOCALS~1\Temp
TMP=C:\DOCUME~1\kshields\LOCALS~1\Temp
USERDNSDOMAIN=EBSCO.COM
USERDOMAIN=EBSCO
USERNAME=kshields
USERPROFILE=C:\Documents and Settings\kshields
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

dricker (new local, admin, net ready)
kshields (admin)
kshields.GVMG-61476 (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{977FBE6C-AE9A-4429-B249-814F0B3A4CB1}
--> MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
--> MsiExec.exe /I{B61B6668-A674-4A06-8405-51944D5CCDDD}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Agere Systems HDA Modem --> agrsmdel
Avery Wizard 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{D3C97899-3890-43DB-AA0C-D91A84FA7787}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom NetXtreme Ethernet Controller --> MsiExec.exe /X{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}
BusinessObjects 6 --> MsiExec.exe /I{E989CB68-9F75-4AE3-9A34-69144502D82D}
CCleaner (remove only) --> "C:\Documents and Settings\kshields\Desktop\Spyware\CCleaner\uninst.exe "
Citrix Program Neighborhood --> C:\WINDOWS\ISUNINST.EXE -fC:\PROGRA~1\Citrix\ICACLI~1\Uninst.isu -cC:\PROGRA~1\Citrix\ICACLI~1\uninstpn.dll
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe "
HP 3D DriveGuard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{429E92A4-159F-4AEC-85A1-D693E1E4274D}\setup.exe" -l0x9 UNINSTALL
HP Broadband Wireless Modules --> MsiExec.exe /X{B2D74DEC-9F82-428C-8C30-CCFBCFE45F90}
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
HP PCMCIA Smart Card Reader --> MsiExec.exe /I{24B3DF86-75B9-4DBD-AC39-C0C041583E6F}
Install Curtis DataPro Icon to Desktop --> C:\PROGRA~1\CURTIS~1\UNWISE.EXE C:\PROGRA~1\CURTIS~1\INSTALL.LOG
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft Baseline Security Analyzer 2.0.1 --> MsiExec.exe /I{7F231232-C309-4401-964A-2A002B6E1ED9}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe "
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe "
Mouse Suite --> PMUninst.exe MouseSuite98
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickFill Workstation (Build 705) --> MsiExec.exe /X{E9CC02FC-1275-41BE-BC1B-CC234DA3B008}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:\Spybot - Search & Destroy\unins000.exe "
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe "
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe "
Symantec AntiVirus --> MsiExec.exe /I{50E125D1-88E5-48CE-80AE-98EC9698E639}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll ",standAloneUninstall
VNC Free Edition 4.1.1 --> "C:\Program Files\RealVNC\VNC4\unins000.exe "
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe "
WinPatrol 2007 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0


-- Application Event Log -------------------------------------------------------

Event Record #/Type8437 / Error
Event Submitted/Written: 12/02/2007 08:04:52 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type8436 / Error
Event Submitted/Written: 12/02/2007 00:04:52 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type8435 / Error
Event Submitted/Written: 12/02/2007 08:27:20 AM
Event ID/Source: 10703 / SmsClient
Event Description:
1The agent encountered an error while collecting data from this computer.

Event Record #/Type8434 / Error
Event Submitted/Written: 12/02/2007 04:04:52 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type8430 / Error
Event Submitted/Written: 12/01/2007 08:04:52 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4975 / Warning
Event Submitted/Written: 12/02/2007 08:06:10 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/dns02.dnsebsco.com. No authentication protocol was available.

Event Record #/Type4974 / Warning
Event Submitted/Written: 12/02/2007 08:06:10 PM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/dns02.dnsebsco.com. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e) ".

Event Record #/Type4973 / Warning
Event Submitted/Written: 12/02/2007 07:37:01 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/dns01.dnsebsco.com. No authentication protocol was available.

Event Record #/Type4972 / Warning
Event Submitted/Written: 12/02/2007 07:37:01 PM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/dns01.dnsebsco.com. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e) ".

Event Record #/Type4966 / Warning
Event Submitted/Written: 12/02/2007 06:36:17 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/dns01.dnsebsco.com. No authentication protocol was available.



-- End of Deckard's System Scanner: finished at 2007-12-02 20:22:13 ------------

 

Nothing in those logs to suggest a problem. Close all browser windows and open Internet Options in the Control Panel. Select the Programs tab and click Reset Web Settings. Homepage is optional. Restart your browser and let me know if there's any change.

 

Still a problem

Problem still exists, this latest time instead of going back to previous page, it attempted to take me too:

a.tribalfusion

 

Did you install a custom HOSTS file a while back, possibly just prior to this problem with the Back button?

Running a popup blocker?