Solved please help - here is my hijack this log

pdessena · 2007/11/09

[Resolved]please help - here is my hijack this log

Hi, I have been battling several viruses and lots of spyware, but have finally managed to get rid of them (I think). However, I still can't access my control panel or other administrative settings. I get the following message: this operation has been cancelled due to restrictions in effect on this computer.

Here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:51 PM, on 11/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\jetsuite\JETSTAT.EXE
c:\jetsuite\JSFMAN.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David A. Gray\Local Settings\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/248cd80fb77842d12c05/netzip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176565511265
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6188 bytes

Geri · 2007/11/09

Hi pdessena
Welcome to Windowsbbs

Please note, HJT makes a backup folder of everything that is fix with the tool.
I would advise that you move Hijackthis to a permanent directory on your hard drive, say C:\HJT
A temporary folder is not a advisable location for backups made by HJT, it could be deleted by mistake.

You are running two AV's
AVG7
CA - Computer Associates

I'm guessing you paid for CA's Internet Security Suite.

Running two AV's is not a good idea, they can conflict with each other and end up giving you less protection then just running one.

If CA is up-to-date and paid for, please remove AVG7 from your add/remove list.

After doing the above please post a new HJT log.

Thanks
Geri

pdessena · 2007/11/09

updated hjt log

Hi Geri, thanks for your reply. I did what you suggested and ran a new hjt scan (below). I had both CA and AVG programs installed because CA didn't remove all the viruses on my computer, so I downloaded AVG to give it a try. I know I shouldn't have had both on my machine, but I couldn't get rid of CA since my control panel can't be accessed (I didn't know of any other way to uninstall it). In desperation, I disabled CA before installing AVG (not sure if that was helpful, but I didn't know what else to do). Anyhow, upon your advice, I have deleted AVG (it had an uninstall option in my start menu, so I didn't need control panel) and now only have CA.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:58 PM, on 11/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
c:\jetsuite\JSFMAN.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/248cd80fb77842d12c05/netzip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176565511265
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5494 bytes

Geri · 2007/11/09

Hi pdessena

OK, Thanks for doing that.
Lets see if we can get a better look at things.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

Close all other windows before proceeding.

Double-click on dss.exe and follow the prompts.

When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt only for now.

Thanks
Geri

pdessena · 2007/11/09

deckard's scan text

Here is the main text:

Deckard's System Scanner v20071014.68
Run by David A. Gray on 2007-11-10 01:50:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
91: 2007-11-10 06:50:29 UTC - RP1288 - Deckard's System Scanner Restore Point
90: 2007-11-10 04:54:30 UTC - RP1287 - Installed AVG 7.5
89: 2007-11-10 04:52:59 UTC - RP1286 - Removed AVG 7.5
88: 2007-11-09 22:27:18 UTC - RP1285 - Installed AVG 7.5
87: 2007-11-09 05:50:33 UTC - RP1284 - System Checkpoint

-- First Restore Point --
1: 2007-08-12 09:03:47 UTC - RP1198 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as David A. Gray.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:16 AM, on 11/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
c:\jetsuite\JSFMAN.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\David A. Gray\Desktop\dss.exe
C:\hjt\David A. Gray.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/248cd80fb77842d12c05/netzip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176565511265
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5458 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 js1284 - c:\windows\system32\drivers\js1284.sys <Not Verified; JetFax, Inc.; JetSuite>
R1 jsmux - c:\windows\system32\drivers\jsmux.sys <Not Verified; JetFax, Inc.; JetSuite>
R1 jsscan - c:\windows\system32\drivers\jsscan.sys <Not Verified; JetFax, Inc.; JetSuite>
R1 NEOFLTR_540_11359 (Juniper Networks TDI Filter Driver (NEOFLTR_540_11359)) - c:\windows\system32\drivers\neofltr_540_11359.sys <Not Verified; Juniper Networks; Secure Application Manager>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 jsfax - c:\windows\system32\drivers\jsfax.sys <Not Verified; JetFax, Inc.; JetSuite>
R2 jspclcap - c:\windows\system32\drivers\jspclcap.sys <Not Verified; JetFax, Inc.; JetSuite>

S2 DgiVecp - c:\windows\system32\drivers\dgivecp.sys (file missing)
S2 xlavba8 - c:\windows\xlavba8.exe (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S4 jsdbg - c:\windows\system32\drivers\jsdbg.sys <Not Verified; JetFax, Inc.; JetSuite>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 jsdaemon - c:\jetsuite\jsdaemon.exe <Not Verified; JetFax, Inc.; JetSuite>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-11-09 23:55:36 396 --a------ C:\WINDOWS\Tasks\SDMsgUpdate (SmartDrawTrial).job
2007-11-09 01:04:56 530 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as David A Gray at 10 37 PM.job
2003-11-29 23:45:00 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job

-- Files created between 2007-10-10 and 2007-11-10 -----------------------------

2007-11-09 23:54:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-09 21:02:03 0 d-------- C:\hjt
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-09 13:31:58 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-09 13:31:58 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-09 13:31:58 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-09 13:31:58 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-09 13:31:58 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-09 13:31:58 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-09 13:31:58 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-11-09 13:31:58 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-11-09 13:31:57 651264 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-09 12:58:20 2394 --a------ C:\WINDOWS\System32\tmp.reg
2007-11-09 12:57:25 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2007-11-09 12:57:25 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-09 12:57:25 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-11-09 12:57:24 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-09 12:57:24 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-08 22:37:51 0 d-------- C:\Program Files\Common Files\Scanner
2007-11-08 22:37:31 0 d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-11-08 22:37:30 0 d-------- C:\Program Files\CA

-- Find3M Report ---------------------------------------------------------------

2007-11-08 23:25:09 0 d-------- C:\Program Files\SymNetDrv
2007-11-08 23:23:49 0 d-------- C:\Program Files\SmartDraw 7
2007-11-08 23:23:37 0 d-------- C:\Program Files\QuickTime
2007-11-08 23:23:36 0 d-------- C:\Program Files\NetWaiting
2007-11-08 23:23:31 0 d-------- C:\Program Files\Modem Helper
2007-11-08 23:22:09 0 d-------- C:\Program Files\Lexmark X125
2007-11-08 23:21:16 0 d-------- C:\Program Files\Google
2007-11-08 23:21:15 0 d-------- C:\Program Files\Digital Line Detect
2007-11-08 22:37:51 0 d-------- C:\Program Files\Common Files
2007-09-27 11:51:55 0 d-------- C:\Documents and Settings\David A. Gray\Application Data\AdobeUM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 01:19 AM]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 01:07 AM]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 02:04 AM]
"StorageGuard "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 02:01 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [11/03/2003 02:09 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/24/2006 08:50 AM]
"cctray "= "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/16/2007 10:25 PM]
"CAVRID "= "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [08/20/2007 01:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow! "=" " []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 04:08 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert "=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning "=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\David A. Gray\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/3/2003 2:06:26 PM]
DllCmd32.lnk - C:\jetsuite\DLLCMD32.EXE [10/15/2004 11:48:53 AM]
HP LaserJet 3100 Status.lnk - C:\jetsuite\JETSTAT.EXE [10/15/2004 11:48:53 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 3:15:54 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1 (0x1)

-- End of Deckard's System Scanner: finished at 2007-11-10 01:52:00 ------------

Geri · 2007/11/10

Hi pdessena
I see that at some point you ran smitfraudfx. If you still have it please delete it so we can run a newer version.

Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter ".

Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Have you ever used registry editor, Do you feel comfortable using registry editor?

Please post the smitfraud report and a new dss log.

Thanks
Geri

pdessena · 2007/11/11

smitfraud report & dss log

Hi Geri, here is the new smitfraud report and dss log. I have one question... when I ran the smitfraudfix it seemed to be done so I exited, but then saw a windows disk cleanup box calculating how much space would be freed on c:. I canceled the process. Was this correct? Also, I am fine using registry editor.

SmitFraudFix v2.252

Scan done at 17:10:50.98, Sun 11/11/2007
Run from C:\Documents and Settings\David A. Gray\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D1851A7-7EAA-4227-92CE-58F9474E3FA7}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D1851A7-7EAA-4227-92CE-58F9474E3FA7}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4D1851A7-7EAA-4227-92CE-58F9474E3FA7}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Deckard's System Scanner v20071014.68
Run by David A. Gray on 2007-11-11 17:17:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as David A. Gray.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:27 PM, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\jetsuite\jsdaemon.exe
C:\jetsuite\JETSTAT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\jetsuite\JSFMAN.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David A. Gray\Desktop\dss.exe
C:\hjt\DAVIDA~1.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/248cd80fb77842d12c05/netzip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176565511265
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5598 bytes

-- Files created between 2007-10-11 and 2007-11-11 -----------------------------

2007-11-09 23:54:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-09 21:02:03 0 d-------- C:\hjt
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-09 13:31:58 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-09 13:31:58 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-09 13:31:58 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-09 13:31:58 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-09 13:31:58 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-09 13:31:58 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-09 13:31:58 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-09 13:31:58 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-11-09 13:31:58 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-09 13:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-11-09 13:31:57 651264 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-09 12:58:20 2272 --a------ C:\WINDOWS\System32\tmp.reg
2007-11-09 12:57:25 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2007-11-09 12:57:25 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-09 12:57:25 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-11-09 12:57:24 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-09 12:57:24 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-08 22:37:51 0 d-------- C:\Program Files\Common Files\Scanner
2007-11-08 22:37:31 0 d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-11-08 22:37:30 0 d-------- C:\Program Files\CA

-- Find3M Report ---------------------------------------------------------------

2007-11-08 23:25:09 0 d-------- C:\Program Files\SymNetDrv
2007-11-08 23:23:49 0 d-------- C:\Program Files\SmartDraw 7
2007-11-08 23:23:37 0 d-------- C:\Program Files\QuickTime
2007-11-08 23:23:36 0 d-------- C:\Program Files\NetWaiting
2007-11-08 23:23:31 0 d-------- C:\Program Files\Modem Helper
2007-11-08 23:22:09 0 d-------- C:\Program Files\Lexmark X125
2007-11-08 23:21:16 0 d-------- C:\Program Files\Google
2007-11-08 23:21:15 0 d-------- C:\Program Files\Digital Line Detect
2007-11-08 22:37:51 0 d-------- C:\Program Files\Common Files
2007-09-27 11:51:55 0 d-------- C:\Documents and Settings\David A. Gray\Application Data\AdobeUM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 01:19 AM]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 01:07 AM]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 02:04 AM]
"StorageGuard "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 02:01 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [11/03/2003 02:09 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/24/2006 08:50 AM]
"cctray "= "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/16/2007 10:25 PM]
"CAVRID "= "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [08/20/2007 01:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow! "=" " []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 04:08 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert "=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning "=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\David A. Gray\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/3/2003 2:06:26 PM]
DllCmd32.lnk - C:\jetsuite\DLLCMD32.EXE [10/15/2004 11:48:53 AM]
HP LaserJet 3100 Status.lnk - C:\jetsuite\JETSTAT.EXE [10/15/2004 11:48:53 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 3:15:54 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1 (0x1)

-- End of Deckard's System Scanner: finished at 2007-11-11 17:17:51 ------------

Geri · 2007/11/11

Hi pdessena
OK We need to change the data value on this,

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1

Open registry editor.
Click Start>Run Type in regedit click OK.
Click the + sign next to each Key and sub key untill you come to explorer.
Click on explorer, on the right side right click on NoControlPanel click modify
in the window that opens Change the data value to 0 click OK, OK any prompts

Click the + sign next to each Key and sub key to deplete the registry hive back to where it started then exit registry editor.

Reboot your computer

Check to see if you can open contol panel and your other administrative settings.

Geri

pdessena · 2007/11/11

it worked!

You are a genius, Geri! Control panel is back and I am finally able to get to my other settings. Does everything else look ok, or is there still more for me to fix? This is my husband's computer -- he really had it in bad shape, but it seems to be good now. Thank you!!

Geri · 2007/11/11

Hi pdessena
Good to hear
Lets do a few things then you should be good to go.
Please do these in the order given.

You can delete any tools you were asked to download and the files/folders or logs they created, There will be newer versions if ever needed again any way.

These tools
Smitfraudfix.exe
dss.exe

These files/folders
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\Deckard

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Click the big Scan Now button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

If panda finds anything post the log, Let me know how things are running.

If everythings OK then I will direct you to some preventive recommendations and the last steps you should do.

Geri

pdessena · 2007/11/12

panda scan was clear

OK... I deleted all those files and ran panda scan -- no viruses were found!

Geri · 2007/11/12

Hi pdessena
OK Very good. Good Job.

This would be a good time to set a new system restore point for your machine.
Set New System Restore Point Windows XP. - Set New System Restore Point Windows Vista
Do not do this unless there are no other user accounts to be diagnosed.

If there are any other user accounts on this machine, they too, must be cleaned with AdAware and Spybot S&D. Not all infections are global, nor are all fixes global.
Log onto that user account, Run HJT and save log, post each user account here into this thread, but please, do only one at a time to avoid confusion. Please let us know that it is a different account.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forms.
http://www.windowsbbs.com/showthread.php?t=67958

I will mark this one resolved. If there are no other user accounts on this machine.

Surf Safely
Geri

pdessena · 2007/11/13

thank you!

there are no other users, so i think i'm all set. thank you so much for your help!

Log in or Sign up

Solved please help - here is my hijack this log

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Share This Page

Log in or Sign up

Solved please help - here is my hijack this log

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Geri Inactive Alumni

pdessena Inactive Thread Starter

Share This Page

Useful Searches