Trojan Downloaders

tjames238 · 2007/06/16

Here is the logfile. Did you want a copy all the things quarantined by AVG 7.5?
Logfile of HijackThis v1.99.1
Scan saved at 11:26:45 AM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O1 - Hosts: 202.109.114.142 survey88.allyes.com
O1 - Hosts: 202.109.114.142 adtaobao.allyes.com
O1 - Hosts: 202.109.114.142 code.qihoo.com
O1 - Hosts: 202.109.114.142 union.mop.com
O1 - Hosts: 202.109.114.142 js.kkunion.com
O1 - Hosts: 202.109.114.142 v.kkunion.com
O1 - Hosts: 202.109.114.142 v.21cn.com
O1 - Hosts: 202.109.114.142 iplusms.allyes.com
O1 - Hosts: 202.109.114.142 mms.t2t2.com
O1 - Hosts: 202.109.114.142 ivr.dobig.net
O1 - Hosts: 202.109.114.142 www.u8u.com
O1 - Hosts: 202.109.114.142 u.u8u.com
O1 - Hosts: 202.109.114.142 img.zhangxiu.com
O1 - Hosts: 202.109.114.142 tl.linktone.com
O1 - Hosts: 202.109.114.142 channel.e78.com
O1 - Hosts: 202.109.114.142 u.7town.com
O1 - Hosts: 202.109.114.142 union.95ol.com.cn
O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
O1 - Hosts: 202.109.114.142 tl.a8.com
O1 - Hosts: 202.109.114.142 ad01.a8.com
O1 - Hosts: 202.109.114.142 u2.caiku.com
O1 - Hosts: 202.109.114.142 mms.caiku.com
O1 - Hosts: 202.109.114.142 code1.caiku.com
O1 - Hosts: 202.109.114.142 pub.lele.com
O1 - Hosts: 202.109.114.142 u.lele.com
O1 - Hosts: 202.109.114.142 7town.com
O1 - Hosts: 202.109.114.142 tvsend.7town.com
O1 - Hosts: 202.109.114.142 ivrsend.7town.com
O1 - Hosts: 202.109.114.142 tlt.7town.com
O1 - Hosts: 202.109.114.142 gsend.7town.com
O1 - Hosts: 202.109.114.142 smssend.7town.com
O1 - Hosts: 202.109.114.142 mmssend.moyu.com
O1 - Hosts: 202.109.114.142 91ivr.com
O1 - Hosts: 202.109.114.142 myad.91ivr.com
O1 - Hosts: 202.109.114.142 u.91ivr.com
O1 - Hosts: 202.109.114.142 union.91ivr.com
O1 - Hosts: 202.109.114.142 cm.p4p.cn.yahoo.com
O1 - Hosts: 202.109.114.142 un.265.com
O1 - Hosts: 202.109.114.142 union.qq.com
O1 - Hosts: 202.109.114.142 view.aliunion.cn.yahoo.com
O1 - Hosts: 202.109.114.142 union.narrowad.com
O1 - Hosts: 202.109.114.142 ln.heima8.com
O1 - Hosts: 202.109.114.142 www.fboat.cn
O1 - Hosts: 202.109.114.142 cpro.baidu.com
O1 - Hosts: 202.109.114.142 unstat.baidu.com
O1 - Hosts: 202.109.114.142 y.cnxad.com
O1 - Hosts: 202.109.114.142 www.ewowo.com
O1 - Hosts: 202.109.114.142 template.union.163.com
O1 - Hosts: 202.109.114.142 new.is686.com
O1 - Hosts: 202.109.114.142 creative.unionsys.bolaa.com
O1 - Hosts: 202.109.114.142 www.qyule.com
O1 - Hosts: 202.109.114.142 99e.cc
O1 - Hosts: 202.109.114.142 www.91ivr.com
O1 - Hosts: 202.109.114.142 mg.ukaka.com
O1 - Hosts: 202.109.114.142 kooxoo2.ad4all.net
O1 - Hosts: 202.109.114.142 www.8fff.com
O1 - Hosts: 202.109.114.142 union.pomoho.com
O1 - Hosts: 202.109.114.142 202.107.233.211
O1 - Hosts: 202.109.114.142 www.end123.com
O1 - Hosts: 202.109.114.142 w1.7clink.com
O1 - Hosts: 202.109.114.142 w2.7clink.com
O1 - Hosts: 202.109.114.142 union01.com
O1 - Hosts: 202.109.114.142 click.8le8le.com
O1 - Hosts: 202.109.114.142 stbanner.allyes.com
O1 - Hosts: 202.109.114.142 mms1.moyu.com
O1 - Hosts: 202.109.114.142 u.moyu.com
O1 - Hosts: 202.109.114.142 mmsu.moyu.com
O1 - Hosts: 202.109.114.142 show.moyu.com
O1 - Hosts: 202.109.114.142 ivrsend.moyu.com
O1 - Hosts: 202.109.114.142 ivru.moyu.com
O1 - Hosts: 202.109.114.142 ivr1.moyu.com
O1 - Hosts: 203.191.146.205 corep.dmcast.com
O1 - Hosts: 203.191.146.205 m081.dmcast.com
O1 - Hosts: 203.191.146.205 dcww.dmcast.com
O1 - Hosts: 203.191.146.205 renren.dmcast.com
O1 - Hosts: 203.191.146.205 files.henbang.net
O1 - Hosts: 203.191.146.205 bannerbox.cn
O1 - Hosts: 203.191.146.205 www.bannerbox.cn
O1 - Hosts: 203.191.146.205 action.coopen.cn
O1 - Hosts: 203.191.146.205 u4.sky99.cn
O1 - Hosts: 203.191.146.205 u1.sky99.cn
O1 - Hosts: 203.191.146.205 u2.sky99.cn
O1 - Hosts: 203.191.146.205 u3.sky99.cn
O1 - Hosts: 203.191.146.205 sky99.cn
O1 - Hosts: 203.191.146.205 u.sky99.cn
O1 - Hosts: 203.191.146.205 u.ete.cn
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 www.365tan.com
O1 - Hosts: 203.191.146.205 www.winopen.cn
O1 - Hosts: 203.191.146.205 www.tanip.com
O1 - Hosts: 203.191.146.205 alexaanywhere.com
O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 pop.9v.cn
O1 - Hosts: 203.191.146.205 xuni.myad.cn
O1 - Hosts: 203.191.146.205 iebar.t2t2.com
O1 - Hosts: 203.191.146.205 error.newcell.cn
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {031882e5-f020-40a9-849c-fde8950dba61} - C:\WINDOWS\system32\ipsuid.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: ChinaBuy Class - {85FAEA13-9C62-4917-8571-B35C563A1943} - C:\WINDOWS\system32\buyunion.dll (file missing)
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [tlleiij] "C:\Program Files\directx\tlleiij.exe "
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ipsuid - ipsuid.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

TeMerc · 2007/06/17

OK, looks like we're going to have to manually delete some things.

First lets delete all of the jobs located in the C:\WINDOWS\tasks folder. Navigate to the folder, and for each job, right-click and select 'Delete' until all are deleted.

Then search for, and delete, if found, the following files/folders:
C:\Program Files\ptjn<<<<---this folder
C:\Program Files\LimeWire<<<<---this folder
C:\Program Files\MyWebSearch<<<<---this folder
C:\Program Files\FunWebProducts<<<<---this folder
C:\Program Files\directx<<<<---this folder
C:\Program Files\Freeze.com<<<<---this folder
C:\Program Files\Free Offers from Freeze.com<<<<---this folder
C:\DOCUME~1\COMPAQ~1\APPLIC~1\iWin<<<<---this folder

Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

O2 - BHO: (no name) - {031882e5-f020-40a9-849c-fde8950dba61} - C:\WINDOWS\system32\ipsuid.dll (file missing)

O2 - BHO: ChinaBuy Class - {85FAEA13-9C62-4917-8571-B35C563A1943} - C:\WINDOWS\system32\buyunion.dll (file missing)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

O20 - AppInit_DLLs:

O20 - Winlogon Notify: ipsuid - ipsuid.dll (file missing)

O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)

Reboot and run ComboFix first, then HJT and post both logs back into this thread and advise of any ongloing or new problems.

tjames238 · 2007/06/17

Here is the ComboLog.
ComboFix 07-06-13.3 - C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
"Compaq_Owner" - 2007-06-17 16:00:30 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))

2007-06-16 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-16 00:42 <DIR> d-------- C:\!KillBox
2007-06-14 21:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 21:17 <DIR> d-------- C:\VundoFix Backups
2007-06-14 02:16 <DIR> d-------- C:\Spyware Tools
2007-06-14 01:27 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-14 01:27 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-06-14 00:58 <DIR> d-------- C:\Program Files\CCleaner
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-06-13 11:35 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.JEF\NTUSER.DAT
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\WINDOWS
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Symantec
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Sonic
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\SampleView
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Real
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Intervideo
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Apple Computer
2007-06-06 13:53 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft
2007-06-06 13:52 <DIR> d-------- C:\Program Files\Lavasoft

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 20:42:03 -------- d-----w C:\Program Files\directx
2007-06-17 20:27:16 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\WeatherBug
2007-06-14 05:14:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-06 18:52:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-26 19:11:52 -------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-05-08 00:37:01 -------- d-----w C:\Program Files\HP Games
2007-04-06 20:04:45 164 ----a-w C:\install.dat
2006-04-02 01:14:52 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-04-17 19:37]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-01-06 12:52]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll [2006-07-26 03:17]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 13:17]
{BF182DBF-1283-4BD3-86EE-D3239228770C}=C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll [2005-05-29 10:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"VTTimer "= "VTTimer.exe" []
"SiSPower "= "Rundll32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-29 19:06 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 22:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 17:38]
"tlleiij "= "C:\Program Files\directx\tlleiij.exe" [2005-06-10 11:46]
"Lexmark X1100 Series "= "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Acme.PCHButton "= "C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" [2004-10-21 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
uyos

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 16:04:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-17 16:06:05
C:\ComboFix-quarantined-files.txt ... 2007-06-17 16:05
C:\ComboFix2.txt ... 2007-06-16 11:01
C:\ComboFix3.txt ... 2007-06-14 22:03

--- E O F ---

tjames238 · 2007/06/17

Here is the HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 4:07:45 PM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\directx\tlleiij.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O1 - Hosts: 202.109.114.142 survey88.allyes.com
O1 - Hosts: 202.109.114.142 adtaobao.allyes.com
O1 - Hosts: 202.109.114.142 code.qihoo.com
O1 - Hosts: 202.109.114.142 union.mop.com
O1 - Hosts: 202.109.114.142 js.kkunion.com
O1 - Hosts: 202.109.114.142 v.kkunion.com
O1 - Hosts: 202.109.114.142 v.21cn.com
O1 - Hosts: 202.109.114.142 iplusms.allyes.com
O1 - Hosts: 202.109.114.142 mms.t2t2.com
O1 - Hosts: 202.109.114.142 ivr.dobig.net
O1 - Hosts: 202.109.114.142 www.u8u.com
O1 - Hosts: 202.109.114.142 u.u8u.com
O1 - Hosts: 202.109.114.142 img.zhangxiu.com
O1 - Hosts: 202.109.114.142 tl.linktone.com
O1 - Hosts: 202.109.114.142 channel.e78.com
O1 - Hosts: 202.109.114.142 u.7town.com
O1 - Hosts: 202.109.114.142 union.95ol.com.cn
O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
O1 - Hosts: 202.109.114.142 tl.a8.com
O1 - Hosts: 202.109.114.142 ad01.a8.com
O1 - Hosts: 202.109.114.142 u2.caiku.com
O1 - Hosts: 202.109.114.142 mms.caiku.com
O1 - Hosts: 202.109.114.142 code1.caiku.com
O1 - Hosts: 202.109.114.142 pub.lele.com
O1 - Hosts: 202.109.114.142 u.lele.com
O1 - Hosts: 202.109.114.142 7town.com
O1 - Hosts: 202.109.114.142 tvsend.7town.com
O1 - Hosts: 202.109.114.142 ivrsend.7town.com
O1 - Hosts: 202.109.114.142 tlt.7town.com
O1 - Hosts: 202.109.114.142 gsend.7town.com
O1 - Hosts: 202.109.114.142 smssend.7town.com
O1 - Hosts: 202.109.114.142 mmssend.moyu.com
O1 - Hosts: 202.109.114.142 91ivr.com
O1 - Hosts: 202.109.114.142 myad.91ivr.com
O1 - Hosts: 202.109.114.142 u.91ivr.com
O1 - Hosts: 202.109.114.142 union.91ivr.com
O1 - Hosts: 202.109.114.142 cm.p4p.cn.yahoo.com
O1 - Hosts: 202.109.114.142 un.265.com
O1 - Hosts: 202.109.114.142 union.qq.com
O1 - Hosts: 202.109.114.142 view.aliunion.cn.yahoo.com
O1 - Hosts: 202.109.114.142 union.narrowad.com
O1 - Hosts: 202.109.114.142 ln.heima8.com
O1 - Hosts: 202.109.114.142 www.fboat.cn
O1 - Hosts: 202.109.114.142 cpro.baidu.com
O1 - Hosts: 202.109.114.142 unstat.baidu.com
O1 - Hosts: 202.109.114.142 y.cnxad.com
O1 - Hosts: 202.109.114.142 www.ewowo.com
O1 - Hosts: 202.109.114.142 template.union.163.com
O1 - Hosts: 202.109.114.142 new.is686.com
O1 - Hosts: 202.109.114.142 creative.unionsys.bolaa.com
O1 - Hosts: 202.109.114.142 www.qyule.com
O1 - Hosts: 202.109.114.142 99e.cc
O1 - Hosts: 202.109.114.142 www.91ivr.com
O1 - Hosts: 202.109.114.142 mg.ukaka.com
O1 - Hosts: 202.109.114.142 kooxoo2.ad4all.net
O1 - Hosts: 202.109.114.142 www.8fff.com
O1 - Hosts: 202.109.114.142 union.pomoho.com
O1 - Hosts: 202.109.114.142 202.107.233.211
O1 - Hosts: 202.109.114.142 www.end123.com
O1 - Hosts: 202.109.114.142 w1.7clink.com
O1 - Hosts: 202.109.114.142 w2.7clink.com
O1 - Hosts: 202.109.114.142 union01.com
O1 - Hosts: 202.109.114.142 click.8le8le.com
O1 - Hosts: 202.109.114.142 stbanner.allyes.com
O1 - Hosts: 202.109.114.142 mms1.moyu.com
O1 - Hosts: 202.109.114.142 u.moyu.com
O1 - Hosts: 202.109.114.142 mmsu.moyu.com
O1 - Hosts: 202.109.114.142 show.moyu.com
O1 - Hosts: 202.109.114.142 ivrsend.moyu.com
O1 - Hosts: 202.109.114.142 ivru.moyu.com
O1 - Hosts: 202.109.114.142 ivr1.moyu.com
O1 - Hosts: 203.191.146.205 corep.dmcast.com
O1 - Hosts: 203.191.146.205 m081.dmcast.com
O1 - Hosts: 203.191.146.205 dcww.dmcast.com
O1 - Hosts: 203.191.146.205 renren.dmcast.com
O1 - Hosts: 203.191.146.205 files.henbang.net
O1 - Hosts: 203.191.146.205 bannerbox.cn
O1 - Hosts: 203.191.146.205 www.bannerbox.cn
O1 - Hosts: 203.191.146.205 action.coopen.cn
O1 - Hosts: 203.191.146.205 u4.sky99.cn
O1 - Hosts: 203.191.146.205 u1.sky99.cn
O1 - Hosts: 203.191.146.205 u2.sky99.cn
O1 - Hosts: 203.191.146.205 u3.sky99.cn
O1 - Hosts: 203.191.146.205 sky99.cn
O1 - Hosts: 203.191.146.205 u.sky99.cn
O1 - Hosts: 203.191.146.205 u.ete.cn
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 www.365tan.com
O1 - Hosts: 203.191.146.205 www.winopen.cn
O1 - Hosts: 203.191.146.205 www.tanip.com
O1 - Hosts: 203.191.146.205 alexaanywhere.com
O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 pop.9v.cn
O1 - Hosts: 203.191.146.205 xuni.myad.cn
O1 - Hosts: 203.191.146.205 iebar.t2t2.com
O1 - Hosts: 203.191.146.205 error.newcell.cn
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [tlleiij] "C:\Program Files\directx\tlleiij.exe "
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

tjames238 · 2007/06/17

Do you want me to delete all the infections that AVG found that I quarantined?

TeMerc · 2007/06/17

Read all instructions carefully before performing any steps.

Please do as instructed below in the order presented.

Ok, I just noticed I didn't tell you to disable SpySweeper:
Open it, click the Options tab, then the Program Options tab and uncheck load at windows startup.
Then click the shields tab and uncheck home page shield and automatically restore default without notification

Now lets try an delete that service manually.

Click the 'Start' button, select 'Run', hit 'Enter'.

When box appears, type cmd, hit 'Enter'.

At the command prompt type:
sc delete Fax 2Client

Then hit 'Enter' and reboot the system into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\Program Files\directx\tlleiij.exe

Access your Add or Remove Programs Control Panel by hitting your [Start] button, select Control Panel and click on Add or Remove Programs. Then find the following programs and click the [Change|Remove] button for each, if they are listed. If they are not, continue with instructions
directx

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

ALL HOST Entries

O4 - HKLM\..\Run: [tlleiij] "C:\Program Files\directx\tlleiij.exe "

O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)

Search for, and delete, if found, the following files/folders:
C:\Program Files\directx<<<<---this one

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

We'll leave AVG stuff for now, seeing as we didn't get to see the log.

tjames238 · 2007/06/17

Here is the Combo Log.
ComboFix 07-06-13.3 - C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
"Compaq_Owner" - 2007-06-14 21:56:05 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\a1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\ad\d21dd114b\0001.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\ad\send.lz
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\b1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\k1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\p1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\r1009.dat
C:\Program Files\deepdo
C:\Program Files\deepdo\DeepdoBar\Favorite\favorite.ini
C:\Program Files\deepdo\DeepdoBar\Favorite\Update.ini
C:\Program Files\Internet Explorer\KVMonXP41.exe
C:\Program Files\Internet Explorer\KVMonXP42.exe
C:\Program Files\internet explorer\user32.dll
C:\Program Files\ptjn\cgwa.dll
C:\Program Files\ptjn\eiyc.dll
C:\Program Files\ptjn\hlbf.dll
C:\Program Files\ptjn\zdtx.dll
C:\WINDOWS\7321.exe
C:\WINDOWS\installreg.exe
C:\WINDOWS\mydown_tmp.txt
C:\WINDOWS\mywinsys.ini
C:\WINDOWS\sysdn.ini
C:\WINDOWS\system32\4b1.dll
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\b6e1.dll
C:\WINDOWS\system32\drivers\dgyny.sys
C:\WINDOWS\system32\drivers\iazjhv.sys
C:\WINDOWS\system32\drivers\tugfry.sys
C:\WINDOWS\system32\drivers\usrinit.dll
C:\WINDOWS\system32\drivers\xtrpci.sys
C:\WINDOWS\system32\iazjhv.dll
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\mywebhit.ini.tmp
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\scrsys070424.scr
C:\WINDOWS\system32\tugfry.dll
C:\WINDOWS\system32\usrinit.ini
C:\WINDOWS\system32\xtrpci.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_BNESS
-------\LEGACY_DGYNY
-------\LEGACY_IAZJHV
-------\LEGACY_MSQMX
-------\LEGACY_SCRIPTS
-------\LEGACY_TUGFRY
-------\LEGACY_XTRPCI
-------\BNESS
-------\dgyny
-------\iazjhv
-------\Scripts
-------\tugfry
-------\xtrpci

((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))

2007-06-14 21:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 21:17 <DIR> d-------- C:\VundoFix Backups
2007-06-14 02:16 <DIR> d-------- C:\Spyware Tools
2007-06-14 01:27 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-14 01:27 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-06-14 00:58 <DIR> d-------- C:\Program Files\CCleaner
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-06-14 00:14 <DIR> d-------- C:\Program Files\FaxTools
2007-06-14 00:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-06-13 11:35 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.JEF\NTUSER.DAT
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\WINDOWS
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Symantec
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Sonic
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\SampleView
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Real
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Intervideo
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Apple Computer
2007-06-13 11:26 114,688 -r------- C:\WINDOWS\system32\6e5a1.exe
2007-06-06 13:53 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft
2007-06-06 13:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 23:34 43 --a------ C:\WINDOWS\hosts.dat
2007-06-05 21:33 41,318 --a------ C:\WINDOWS\other32575625.exe
2007-06-05 10:06 26,624 --a------ C:\WINDOWS\other2080936.exe
2007-06-05 10:05 20,480 --a------ C:\WINDOWS\other14385623.exe
2007-06-05 10:04 272,337 --a------ C:\WINDOWS\other22295779.exe
2007-06-05 00:39 86,016 --a------ C:\WINDOWS\system32\buyunion.dll
2007-06-02 17:02 26,112 --a------ C:\WINDOWS\other53484744.exe
2007-06-02 17:02 20,480 --a------ C:\WINDOWS\other26934451.exe
2007-06-02 17:01 272,337 --a------ C:\WINDOWS\other45660037.exe
2007-06-02 11:02 26,112 --a------ C:\WINDOWS\other55646914.exe
2007-06-02 11:01 272,337 --a------ C:\WINDOWS\other73229617.exe
2007-06-02 11:01 20,480 --a------ C:\WINDOWS\other38854617.exe
2007-05-29 22:06 162,142 --a------ C:\WINDOWS\other86213320.exe
2007-05-29 15:27 20,480 --a------ C:\WINDOWS\other49917239.exe
2007-05-29 15:16 272,337 --a------ C:\WINDOWS\other7168216.exe
2007-05-28 12:22 272,337 --a------ C:\WINDOWS\other26545352.exe
2007-05-28 12:22 20,480 --a------ C:\WINDOWS\other67205447.exe
2007-05-28 12:12 272,337 --a------ C:\WINDOWS\other40087527.exe
2007-05-28 12:12 20,480 --a------ C:\WINDOWS\other74169558.exe
2007-05-28 12:12 <DIR> d-------- C:\Program Files\ptjn

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-14 06:26:18 -------- d-----w C:\Program Files\MyWebSearch
2007-06-14 05:14:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-13 17:24:18 -------- d-----w C:\Program Files\FunWebProducts
2007-06-10 16:46:30 -------- d-----w C:\Program Files\directx
2007-06-06 21:01:18 -------- d-----w C:\Program Files\Freeze.com
2007-06-06 18:52:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-05 21:19:05 8,704 ------w C:\WINDOWS\system32\nwizqqhx.dll
2007-05-26 19:11:52 -------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-05-23 16:14:31 14,848 ----a-w C:\WINDOWS\system32\nwizwmsjs.dll
2007-05-22 02:55:40 -------- d-----w C:\Program Files\Napster
2007-05-14 03:25:43 -------- d-----w C:\Program Files\LimeWire
2007-05-11 18:35:17 3,328 ----a-w C:\WINDOWS\MsAudio.sys
2007-05-11 18:35:16 69,632 ----a-w C:\WINDOWS\EBSPI.dll
2007-05-11 18:25:07 10,316 ----a-w C:\WINDOWS\jh.exe
2007-05-11 12:25:48 8,704 ----a-w C:\WINDOWS\system32\dh2102.dll
2007-05-11 12:14:47 8,704 ----a-w C:\WINDOWS\system32\dh2101.dll
2007-05-11 01:06:06 8,704 ----a-w C:\WINDOWS\system32\dh2100.dll
2007-05-08 00:41:29 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\iWin
2007-05-08 00:37:01 -------- d-----w C:\Program Files\HP Games
2007-04-27 18:31:33 7,680 ------w C:\WINDOWS\system32\nwizwmgjs.dll
2007-04-25 18:00:02 13,312 ------w C:\WINDOWS\system32\nwizQQFO.dll
2007-04-21 15:03:39 13,312 ------w C:\WINDOWS\system32\nwizwows.dll
2007-04-18 18:47:16 8,704 ------w C:\WINDOWS\system32\nwizwlwz100.dll
2007-04-15 06:26:23 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\HP
2007-04-06 20:04:45 164 ----a-w C:\install.dat
2007-03-15 17:04:26 5,658 ----a-w C:\DOCUME~1\COMPAQ~1\APPLIC~1\wklnhst.dat
2006-04-02 01:14:52 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-04-17 19:37]
{031882e5-f020-40a9-849c-fde8950dba61}=C:\WINDOWS\system32\ipsuid.dll []
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-01-06 12:52]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll [2006-07-26 03:17]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 13:17]
{85FAEA13-9C62-4917-8571-B35C563A1943}=C:\WINDOWS\system32\buyunion.dll [2007-06-06 11:00]
{BF182DBF-1283-4BD3-86EE-D3239228770C}=C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll [2005-05-29 10:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"VTTimer "= "VTTimer.exe" []
"SiSPower "= "Rundll32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-29 19:06 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 22:47 C:\WINDOWS\ALCXMNTR.EXE]
"NapsterShell "= "C:\Program Files\Napster\napster.exe" [2006-06-29 14:17]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 17:38]
"tlleiij "= "C:\Program Files\directx\tlleiij.exe" [2005-06-10 11:46]
"Lexmark X1100 Series "= "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Acme.PCHButton "= "C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" [2004-10-21 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsuid]
ipsuid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
uyos

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

Contents of the 'Scheduled Tasks' folder
2007-06-14 23:00:00 C:\WINDOWS\tasks\1Gh3yKYh.job
2007-05-27 13:54:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\h.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\K8NQTDXtgCeu8N4ob.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\MwqmTiWVHXBHan.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\PYca.job
2007-06-13 21:00:00 C:\WINDOWS\tasks\wrSpySweeper_L45D879D57E484D71A474ECACCC08B700.job
2007-06-13 21:00:00 C:\WINDOWS\tasks\wrSpySweeper_L78D979FD361544EBAB10BFA1D96C4EBA.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\zKl1Nm.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\ZVPkL7b4IVvNdigZAX.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 22:01:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 22:03:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 22:03

--- E O F ---

tjames238 · 2007/06/17

Here is the HJT log. It seems to be running a lot better. That crazy webpage is gone. I am however getting a OODAG.EXE has encountered a problem and needs to close. I get options Debug Send Error Report and Don't Send. There is another file replication that says the same thing only on a restart.

Logfile of HijackThis v1.99.1
Scan saved at 5:12:06 PM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

TeMerc · 2007/06/18

Well, while the HJT log looks better, I'm dismayed at all the old files which have reappeared. Are you sure that SpySweeper was disabled? If not that would account for the old files reappearing.

I'd like you to totally uninstall SpySweeper and delete all folders associated with it before we proceed any further.

Also, once you start fixing things, physically disconnect from the net to do everything instructed.

Run another AVG scan, but it's imperative you save the log and post is so I know exactly what it found. Those directions I provided are very explicit and when followed, the log is saved and able to be posted.

Be sure to update it first tho, as they update every single day, sometimes 2-3times a day. Once the scan is run and the log saved then:
Lets breakout Killbox again and using the same instructions as previous, insert the following files for deletion:
C:\WINDOWS\system32\6e5a1.exe
C:\WINDOWS\hosts.dat
C:\WINDOWS\other32575625.exe
C:\WINDOWS\other2080936.exe
C:\WINDOWS\other14385623.exe
C:\WINDOWS\other22295779.exe
C:\WINDOWS\system32\buyunion.dll
C:\WINDOWS\other53484744.exe
C:\WINDOWS\other26934451.exe
C:\WINDOWS\other45660037.exe
C:\WINDOWS\other55646914.exe
C:\WINDOWS\other73229617.exe
C:\WINDOWS\other38854617.exe
C:\WINDOWS\other86213320.exe
C:\WINDOWS\other49917239.exe
C:\WINDOWS\other7168216.exe
C:\WINDOWS\other26545352.exe
C:\WINDOWS\other67205447.exe
C:\WINDOWS\other40087527.exe
C:\WINDOWS\other74169558.exe
C:\Program Files\ptjn
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts
C:\Program Files\directx
C:\Program Files\Freeze.com
C:\Program Files\Freeze.com
C:\Program Files\Free Offers from Freeze.com
C:\WINDOWS\system32\nwizwmsjs.dll
C:\Program Files\Napster
C:\Program Files\LimeWire
C:\WINDOWS\jh.exe
C:\DOCUME~1\COMPAQ~1\APPLIC~1\iWin

Go and delete those tasks again in the C:\Windows\tasks folder again.

Then run HJT and fix the following line:
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

tjames238 · 2007/06/18

Here is the Combo Fix Log. I ran the AVG scan and no reports were generated. It found a few low risk tracking cookies and Adware. I followed the directions just as you gave and it created no report. Every thing you had me quarantine is still in quarantine but no report.

ComboFix 07-06-13.3 - C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
"Compaq_Owner" - 2007-06-18 9:46:42 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))

2007-06-16 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-16 00:42 <DIR> d-------- C:\!KillBox
2007-06-14 21:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 21:17 <DIR> d-------- C:\VundoFix Backups
2007-06-14 02:16 <DIR> d-------- C:\Spyware Tools
2007-06-14 01:27 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-14 01:27 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-06-14 00:58 <DIR> d-------- C:\Program Files\CCleaner
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-06-13 11:35 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.JEF\NTUSER.DAT
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\WINDOWS
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Symantec
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Sonic
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\SampleView
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Real
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Intervideo
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Apple Computer
2007-06-06 13:53 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft
2007-06-06 13:52 <DIR> d-------- C:\Program Files\Lavasoft

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 20:27:16 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\WeatherBug
2007-06-14 05:14:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-06 18:52:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-26 19:11:52 -------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-05-08 00:37:01 -------- d-----w C:\Program Files\HP Games
2007-04-06 20:04:45 164 ----a-w C:\install.dat
2006-04-02 01:14:52 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-04-17 19:37]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-01-06 12:52]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll [2006-07-26 03:17]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 13:17]
{BF182DBF-1283-4BD3-86EE-D3239228770C}=C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll [2005-05-29 10:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"VTTimer "= "VTTimer.exe" []
"SiSPower "= "Rundll32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-29 19:06 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 22:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 17:38]
"Lexmark X1100 Series "= "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Acme.PCHButton "= "C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" [2004-10-21 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
uyos

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 09:50:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-18 9:51:11
C:\ComboFix-quarantined-files.txt ... 2007-06-18 09:50
C:\ComboFix2.txt ... 2007-06-17 17:09
C:\ComboFix3.txt ... 2007-06-17 16:06

--- E O F ---

tjames238 · 2007/06/18

Logfile of HijackThis v1.99.1
Scan saved at 9:52:22 AM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)

tjames238 · 2007/06/18

This is wierd because I have it set to "generate a report after every scan" like you said and unchecked "only if threats were found ". A report should be generated. Trust me I work with computers for a living so it is not like I don't understand your directions. You make everything pretty easy to understand (which is good). I am not understanding why no report has been generated. If you can think of anything I am doing wrong please let me know.

TeMerc · 2007/06/18

Ok, well logs look good, save for the one service, not sure why that sucker keeps re-appearing.

Lets run another system scanning tool to see what that finds.

Then download ComboScan to your desktop. Alternate download link

Close all applications and windows.

Double-click on comboscan.exe to run it, and follow the prompts.

When the scan is complete, a text file will open - ComboScan.txt

Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread back into this thread for me to view.

A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

At this point reboot the system, and post back another HJT log file along with the other two logs requested.

tjames238 · 2007/06/18

The first link didn't work so I used the alternate link. There was no comboscan.txt or supplementary.txt. I found a main.txt and extra.txt and a moved.txt that is 1kb. I am sending them all. This is half on the main.txt log because it is too big for one post.

This is main.txt:

Deckard's System Scanner v20070611.50
Run by Compaq_Owner on 2007-06-18 at 12:23:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
87: 2007-06-18 17:23:57 UTC - RP399 - Deckard's System Scanner Restore Point
86: 2007-06-18 00:14:34 UTC - RP398 - System Checkpoint
85: 2007-06-16 05:37:08 UTC - RP397 - Removed Napster Burn Engine
84: 2007-06-16 05:36:50 UTC - RP396 - Removed Napster
83: 2007-06-16 05:33:13 UTC - RP395 - Removed ePhoneTools

-- First Restore Point --
1: 2007-03-20 20:58:40 UTC - RP313 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:24:57 PM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Compaq_Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cjonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070617-155350-122 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-296 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-307 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-323 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-439 O2 - BHO: ChinaBuy Class - {85FAEA13-9C62-4917-8571-B35C563A1943} - C:\WINDOWS\system32\buyunion.dll (file missing)
backup-20070617-155350-482 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-522 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-551 O2 - BHO: (no name) - {031882e5-f020-40a9-849c-fde8950dba61} - C:\WINDOWS\system32\ipsuid.dll (file missing)
backup-20070617-155350-576 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155350-681 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
backup-20070617-155350-814 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-155422-218 O20 - Winlogon Notify: ipsuid - ipsuid.dll (file missing)
backup-20070617-155423-699 O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)
backup-20070617-170003-101 O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
backup-20070617-170003-129 O1 - Hosts: 203.191.146.205 bannerbox.cn
backup-20070617-170003-134 O1 - Hosts: 202.109.114.142 u.u8u.com
backup-20070617-170003-136 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-145 O1 - Hosts: 202.109.114.142 tvsend.7town.com
backup-20070617-170003-159 O1 - Hosts: 202.109.114.142 w1.7clink.com
backup-20070617-170003-161 O1 - Hosts: 202.109.114.142 union.qq.com
backup-20070617-170003-165 O1 - Hosts: 202.109.114.142 code.qihoo.com
backup-20070617-170003-176 O1 - Hosts: 202.109.114.142 un.265.com
backup-20070617-170003-181 O1 - Hosts: 203.191.146.205 corep.dmcast.com
backup-20070617-170003-192 O1 - Hosts: 202.109.114.142 www.u8u.com
backup-20070617-170003-203 O1 - Hosts: 203.191.146.205 error.newcell.cn
backup-20070617-170003-208 O1 - Hosts: 202.109.114.142 unstat.baidu.com
backup-20070617-170003-232 O1 - Hosts: 203.191.146.205 u4.sky99.cn
backup-20070617-170003-240 O1 - Hosts: 202.109.114.142 union01.com
backup-20070617-170003-244 O1 - Hosts: 202.109.114.142 stbanner.allyes.com
backup-20070617-170003-256 O1 - Hosts: 202.109.114.142 ivr1.moyu.com
backup-20070617-170003-265 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-266 O1 - Hosts: 202.109.114.142 u.91ivr.com
backup-20070617-170003-268 O1 - Hosts: 203.191.146.205 u1.sky99.cn
backup-20070617-170003-281 O1 - Hosts: 203.191.146.205 u3.sky99.cn
backup-20070617-170003-289 O1 - Hosts: 202.109.114.142 pub.lele.com
backup-20070617-170003-295 O1 - Hosts: 202.109.114.142 mg.ukaka.com
backup-20070617-170003-296 O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)
backup-20070617-170003-297 O1 - Hosts: 202.109.114.142 mms.t2t2.com
backup-20070617-170003-309 O1 - Hosts: 202.109.114.142 www.8fff.com
backup-20070617-170003-311 O1 - Hosts: 203.191.146.205 www.bannerbox.cn
backup-20070617-170003-339 O1 - Hosts: 203.191.146.205 u.sky99.cn
backup-20070617-170003-342 O1 - Hosts: 202.109.114.142 u.moyu.com
backup-20070617-170003-343 O1 - Hosts: 202.109.114.142 union.91ivr.com
backup-20070617-170003-360 O1 - Hosts: 203.191.146.205 pop.9v.cn
backup-20070617-170003-367 O1 - Hosts: 203.191.146.205 files.henbang.net
backup-20070617-170003-386 O1 - Hosts: 203.191.146.205 sky99.cn
backup-20070617-170003-388 O1 - Hosts: 202.109.114.142 u.lele.com
backup-20070617-170003-400 O1 - Hosts: 202.109.114.142 creative.unionsys.bolaa.com
backup-20070617-170003-401 O1 - Hosts: 202.109.114.142 myad.91ivr.com
backup-20070617-170003-403 O1 - Hosts: 202.109.114.142 channel.e78.com
backup-20070617-170003-405 O1 - Hosts: 203.191.146.205 m081.dmcast.com
backup-20070617-170003-411 O1 - Hosts: 202.109.114.142 www.ewowo.com
backup-20070617-170003-424 O1 - Hosts: 202.109.114.142 tl.a8.com
backup-20070617-170003-428 O1 - Hosts: 202.109.114.142 adtaobao.allyes.com
backup-20070617-170003-433 O1 - Hosts: 203.191.146.205 www.tanip.com
backup-20070617-170003-435 O1 - Hosts: 202.109.114.142 www.fboat.cn
backup-20070617-170003-441 O1 - Hosts: 202.109.114.142 tlt.7town.com
backup-20070617-170003-442 O1 - Hosts: 202.109.114.142 union.95ol.com.cn
backup-20070617-170003-452 O1 - Hosts: 202.109.114.142 ad01.a8.com
backup-20070617-170003-456 O1 - Hosts: 202.109.114.142 template.union.163.com
backup-20070617-170003-460 O1 - Hosts: 202.109.114.142 mms1.moyu.com
backup-20070617-170003-471 O1 - Hosts: 202.109.114.142 view.aliunion.cn.yahoo.com
backup-20070617-170003-488 O1 - Hosts: 202.109.114.142 www.qyule.com
backup-20070617-170003-494 O1 - Hosts: 202.109.114.142 w2.7clink.com
backup-20070617-170003-496 O1 - Hosts: 202.109.114.142 ivrsend.moyu.com
backup-20070617-170003-509 O1 - Hosts: 203.191.146.205 iebar.t2t2.com
backup-20070617-170003-510 O1 - Hosts: 202.109.114.142 img.zhangxiu.com
backup-20070617-170003-516 O1 - Hosts: 202.109.114.142 u.7town.com
backup-20070617-170003-542 O1 - Hosts: 202.109.114.142 union.narrowad.com
backup-20070617-170003-547 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-554 O1 - Hosts: 202.109.114.142 kooxoo2.ad4all.net
backup-20070617-170003-558 O1 - Hosts: 202.109.114.142 js.kkunion.com
backup-20070617-170003-569 O1 - Hosts: 202.109.114.142 union.pomoho.com
backup-20070617-170003-580 O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
backup-20070617-170003-593 O1 - Hosts: 202.109.114.142 mmssend.moyu.com
backup-20070617-170003-595 O1 - Hosts: 202.109.114.142 ln.heima8.com
backup-20070617-170003-615 O1 - Hosts: 202.109.114.142 gsend.7town.com
backup-20070617-170003-625 O1 - Hosts: 202.109.114.142 smssend.7town.com
backup-20070617-170003-634 O1 - Hosts: 202.109.114.142 u2.caiku.com
backup-20070617-170003-637 O1 - Hosts: 202.109.114.142 show.moyu.com
backup-20070617-170003-652 O1 - Hosts: 203.191.146.205 xuni.myad.cn
backup-20070617-170003-666 O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
backup-20070617-170003-668 O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
backup-20070617-170003-671 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-682 O1 - Hosts: 203.191.146.205 alexaanywhere.com
backup-20070617-170003-689 O1 - Hosts: 202.109.114.142 union.mop.com
backup-20070617-170003-690 O1 - Hosts: 202.109.114.142 91ivr.com
backup-20070617-170003-692 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-693 O1 - Hosts: 202.109.114.142 99e.cc
backup-20070617-170003-695 O1 - Hosts: 202.109.114.142 mmsu.moyu.com
backup-20070617-170003-710 O1 - Hosts: 203.191.146.205 www.365tan.com
backup-20070617-170003-718 O1 - Hosts: 202.109.114.142 v.21cn.com
backup-20070617-170003-723 O1 - Hosts: 202.109.114.142 code1.caiku.com
backup-20070617-170003-727 O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
backup-20070617-170003-732 O1 - Hosts: 203.191.146.205 dcww.dmcast.com
backup-20070617-170003-736 O1 - Hosts: 202.109.114.142 survey88.allyes.com
backup-20070617-170003-738 O1 - Hosts: 202.109.114.142 click.8le8le.com
backup-20070617-170003-759 O1 - Hosts: 202.109.114.142 y.cnxad.com
backup-20070617-170003-766 O1 - Hosts: 203.191.146.205 action.coopen.cn
backup-20070617-170003-775 O1 - Hosts: 202.109.114.142 7town.com
backup-20070617-170003-782 O1 - Hosts: 202.109.114.142 iplusms.allyes.com
backup-20070617-170003-799 O1 - Hosts: 202.109.114.142 v.kkunion.com
backup-20070617-170003-805 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-824 O1 - Hosts: 202.109.114.142 mms.caiku.com
backup-20070617-170003-832 O1 - Hosts: 202.109.114.142 ivrsend.7town.com
backup-20070617-170003-848 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-849 O1 - Hosts: 203.191.146.205 www.winopen.cn
backup-20070617-170003-852 O1 - Hosts: 202.109.114.142 new.is686.com
backup-20070617-170003-855 O1 - Hosts: 203.191.146.205 auto.search.msn.com
backup-20070617-170003-885 O1 - Hosts: 203.191.146.205 u.ete.cn
backup-20070617-170003-892 O1 - Hosts: 202.109.114.142 www.91ivr.com
backup-20070617-170003-894 O1 - Hosts: 203.191.146.205 u2.sky99.cn
backup-20070617-170003-900 O4 - HKLM\..\Run: [tlleiij] "C:\Program Files\directx\tlleiij.exe "
backup-20070617-170003-901 O1 - Hosts: 202.109.114.142 ivr.dobig.net
backup-20070617-170003-916 O1 - Hosts: 202.109.114.142 cpro.baidu.com
backup-20070617-170003-926 O1 - Hosts: 202.109.114.142 cm.p4p.cn.yahoo.com
backup-20070617-170003-930 O1 - Hosts: 202.109.114.142 tl.linktone.com
backup-20070617-170003-938 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
backup-20070617-170003-941 O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
backup-20070617-170003-954 O1 - Hosts: 203.191.146.205 renren.dmcast.com
backup-20070617-170003-969 O1 - Hosts: 202.109.114.142 ivru.moyu.com
backup-20070617-170003-975 O1 - Hosts: 202.109.114.142 www.end123.com
backup-20070617-170003-977 O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
backup-20070617-170003-999 O1 - Hosts: 202.109.114.142 202.107.233.211
backup-20070618-094400-110 O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20040813.178\symidsco.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ms_2fax (Fax 2Client) - c:\windows\system32\6e5a1.exe (file missing)
S2 O&O Defrag - c:\windows\system32\oodag.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>

-- Files created between 2007-05-18 and 2007-06-18 -----------------------------

2007-06-16 00:53:06 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Grisoft
2007-06-16 00:42:17 0 d-------- C:\!KillBox
2007-06-14 22:00:34 0 d-------- C:\Avenger
2007-06-14 21:17:52 0 d-------- C:\VundoFix Backups
2007-06-14 02:16:36 0 d-------- C:\Spyware Tools
2007-06-14 01:59:51 0 dr-h----- C:\Documents and Settings\Compaq_Owner\Recent
2007-06-14 01:28:09 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-06-14 01:27:45 0 d-------- C:\Program Files\Lexmark X1100 Series
2007-06-14 00:58:31 0 d-------- C:\Program Files\CCleaner
2007-06-14 00:15:07 0 d-------- C:\Program Files\ABBYY FineReader 6.0
2007-06-14 00:15:07 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-06-13 11:35:35 0 dr-h----- C:\Documents and Settings\Administrator.JEFFERSON-AW\SendTo
2007-06-13 11:35:35 0 dr-h----- C:\Documents and Settings\Administrator.JEFFERSON-AW\Recent
2007-06-13 11:35:35 0 d--h----- C:\Documents and Settings\Administrator.JEFFERSON-AW\PrintHood
2007-06-13 11:35:35 0 d--h----- C:\Documents and Settings\Administrator.JEFFERSON-AW\NetHood
2007-06-13 11:35:35 0 dr------- C:\Documents and Settings\Administrator.JEFFERSON-AW\My Documents
2007-06-13 11:35:35 0 d--h----- C:\Documents and Settings\Administrator.JEFFERSON-AW\Local Settings
2007-06-13 11:35:35 0 dr------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Favorites
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Desktop
2007-06-13 11:35:35 0 d---s---- C:\Documents and Settings\Administrator.JEFFERSON-AW\Cookies
2007-06-13 11:35:35 0 dr-h----- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Symantec
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Sun
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Sonic
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\SampleView
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Real
2007-06-13 11:35:35 0 d---s---- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Microsoft
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Intervideo
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Identities
2007-06-13 11:35:35 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Application Data\Apple Computer
2007-06-13 11:35:34 0 d-------- C:\Documents and Settings\Administrator.JEFFERSON-AW\WINDOWS
2007-06-13 11:35:34 0 d--h----- C:\Documents and Settings\Administrator.JEFFERSON-AW\Templates
2007-06-13 11:35:34 0 dr------- C:\Documents and Settings\Administrator.JEFFERSON-AW\Start Menu
2007-06-13 11:35:33 1572864 --ah----- C:\Documents and Settings\Administrator.JEFFERSON-AW\NTUSER.DAT
2007-06-06 13:53:22 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-06-06 13:52:48 0 d-------- C:\Program Files\Lavasoft
2007-06-05 21:33:43 0 --a------ C:\WINDOWS\system32\sua
2007-06-05 18:49:31 0 dr-h----- C:\$VAULT$.AVG
2007-06-05 17:39:09 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2007-06-05 17:38:54 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-06-05 17:38:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-06-05 17:38:17 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-06-05 14:35:06 68 --a------ C:\WINDOWS\system32\ff21
2007-06-05 14:05:05 68 --a------ C:\WINDOWS\system32\eab4
2007-06-05 13:35:04 68 --a------ C:\WINDOWS\system32\ab44a
2007-06-05 13:05:03 68 --a------ C:\WINDOWS\system32\aa0
2007-06-05 12:35:02 68 --a------ C:\WINDOWS\system32\a37
2007-06-05 12:05:01 68 --a------ C:\WINDOWS\system32\7269
2007-06-05 11:34:56 68 --a------ C:\WINDOWS\system32\6ea
2007-06-05 11:04:55 68 --a------ C:\WINDOWS\system32\4ae
2007-06-05 10:34:53 68 --a------ C:\WINDOWS\system32\44ae
2007-06-05 10:04:52 68 --a------ C:\WINDOWS\system32\2690f8
2007-06-05 10:04:52 29 --a------ C:\WINDOWS\system32\102-102-2564
2007-06-05 10:04:20 10 --a------ C:\WINDOWS\system32\86-102-2564
2007-05-29 11:36:30 10 --a------ C:\WINDOWS\system32\Ã¿Ã¿Ã¿Ã¿Ã„Ã·ÃŠ

-- Find3M Report ---------------------------------------------------------------

2007-06-17 15:27:16 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\WeatherBug
2007-06-14 00:14:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-06 13:52:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-26 14:11:52 0 d-------- C:\Program Files\Free Offers from Freeze.com
2007-05-07 19:37:01 0 d-------- C:\Program Files\HP Games
2007-04-06 15:04:45 164 --a------ C:\install.dat

tjames238 · 2007/06/18

This is the 2nd part of the main.txt:

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
{BF182DBF-1283-4BD3-86EE-D3239228770C} C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdateManager "= "\ "C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"ISUSPM Startup "= "\ "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup "
"ISUSScheduler "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"VTTimer "= "VTTimer.exe "
"SiSPower "= "\ "Rundll32.exe\" SiSPower.dll,ModeAgent "
"AGRSMMSG "= "AGRSMMSG.exe "
"AlcxMonitor "= "ALCXMNTR.EXE "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"AVG7_CC "= "\ "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP "
"Lexmark X1100 Series "= "\ "C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\" "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"Yahoo! Pager "= "\ "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet "
"Acme.PCHButton "= "C:\\PROGRA~1\\HELPAN~1\\HPQ\\XPXWWPP5\\plugin\\bin\\PCHButton.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
uyos

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

-- Hosts -----------------------------------------------------------------------

127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 bbs.360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com

28 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-06-18 at 12:25:35 ---------

tjames238 · 2007/06/18

This is the extra.txt and moved.txt The alternate link called this Deckerd instead of COmboScan but said it is the same thing.

Deckard's System Scanner v20070611.50
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron(tm) Processor 3100+
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 447.48 MiB / 149.25 MiB
Pagefile Memory (total/avail): 1054.55 MiB / 798.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1977.62 MiB

C: is Fixed (NTFS) - 69.26 GiB total, 53.42 GiB free.
D: is Fixed (FAT32) - 5.26 GiB total, 0.77 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.472 v7.5.472 (GRISOFT)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JEFFERSON-AW
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\JEFFERSON-AW
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=JEFFERSON-AW
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)
Administrator.JEFFERSON-AW (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Agere Systems PCI Soft Modem --> agrsmdel
AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe "
Compaq Connections --> C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 6750491
Compaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
Help and Support Additions --> C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe "
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Cameras 4.5 --> C:\Program Files\HP\Digital Imaging\{B775508A-4420-4D47-B408-918427CE0616}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Cameras 6.0 --> C:\Program Files\HP\Digital Imaging\{ADFF8986-B539-466c-8F1E-DB82AA33649B}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Interactive User’s Guide --> MsiExec.exe /I{E786D4DB-EB0D-4474-ADC2-3C229BC17FCA}
InterVideo DiscLabel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3F058C0-A21C-452D-8D99-95B1A45F417D}\setup.exe" REMOVEALL
InterVideo WinDVD Creator --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Lexmark X1100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
LP Recorder --> C:\PROGRA~1\LPRECO~1\UNWISE.EXE C:\PROGRA~1\LPRECO~1\INSTALL.LOG
LP Ripper --> C:\PROGRA~1\LPRIPP~1\UNWISE.EXE C:\PROGRA~1\LPRIPP~1\INSTALL.LOG
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks\ie_bin\unins000.exe "
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Netflix Preview Player --> MsiExec.exe /X{4D758B1D-8CEE-4DE7-89EB-5622FE7DD7F6}
PC-Doctor for Windows --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA} /l1033
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SiS VGA Utilities --> Rundll32 SiSInst.dll,Uninstall VGA,R,oem12.inf
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Trivial Pursuit 'Bring On the 90's' Edition --> "C:\Program Files\HP Games\Trivial Pursuit 'Bring On the 90's' Edition\Uninstall.exe "
Wave Corrector DeClick version 1.0 --> "C:\Program Files\WaveCorDC\unins000.exe "
Windows uyos UnInstall --> C:\WINDOWS\system32\rundll32.exe c:\progra~1\ptjn\zdtx.dll,Service -u
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\install.log
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- End of Deckard's System Scanner: finished at 2007-06-18 at 12:25:35 ---------

This is the MOVED.txt:

Directories/Files moved to C:\Deckard\System Scanner\backup

2007-06-18 09:51:15 5937 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\log.txt
2007-06-18 12:22:02 40960 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\rtdrvmon.exe <Not Verified; Realtek; rtdrvmon>
2004-09-29 20:04:00 45208 --a------ C:\WINDOWS\Downloaded Program Files\SymDlBrg.dll <Verified; Symantec Corporation; Symantec Shared Components>
2004-07-28 15:06:16 154744 --a------ C:\WINDOWS\Downloaded Program Files\yinsthelper.dll <Verified; Yahoo! Inc.; YInstHelper Module>

-*- End of Logfile -*-

tjames238 · 2007/06/18

I forgot to add this.
Logfile of HijackThis v1.99.1
Scan saved at 10:17:49 PM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cjonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe (file missing)

tjames238 · 2007/06/19

Do those newer logs look ok to you TeMerc? I notice that Fax 2Client is still on there. What do you think?

TeMerc · 2007/06/19

I'm inquiring about a couple of those entries, I'll post back once I have a definitive answer.

tjames238 · 2007/06/19

Ok, thanks. I will check back later.

Log in or Sign up

Trojan Downloaders

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

Share This Page

Log in or Sign up

Trojan Downloaders

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

Share This Page

Useful Searches