View Full Version : help please winantispyware problem
Joe Musser
08-23-2007, 08:53 PM
I keep getting a pop up to download winantispyware and i think it is a virus I ran a HJT log and noticed more than I bargained for can anyone here sort this out for me please Logfile of HijackThis v1.99.1
Scan saved at 7:41:21 PM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\lexpps.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Dad\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.un td.com;127.0.0.1;localhost;*microsoft.com;*windows update.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*syman tec.com;*.nai.com;*.networkassociates.com;*.dir.un td.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;q s.netzero.net;*.advertising.com;<local>
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{2F-F2-20-02-ZN}] C:\WINDOWS\SYSTEM32\lmdsrngo.exe CHD003
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\lmdsrngo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - [url]http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Thanks in advance for your help J M
Joe Musser
08-23-2007, 08:54 PM
one more quick question is there a better firewall out there than windows firewall I have already had trouble with someone bypassing it
Budfred
08-23-2007, 09:34 PM
This isn't really a virus, so antivirus software will generally not kill it... And yes, there are a number of much better firewalls, but installing one now would probably be futile since it would probably be corrupted... I will give you some ideas once this is cleaned up...
Start with this:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
and then do this:
* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
Post the logs using as many posts as needed to get them all posted... Stay off the internet as much as possible and do not install any program that isn't needed to complete this fix... You need to carry this through to the end this time if you want help from me again...
Joe Musser
08-24-2007, 04:11 PM
ComboFix 07-08-17.2 - "Dad" 2007-08-24 14:52:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.633 [GMT -4:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Dad\Desktop\internet.lnk
C:\DOCUME~1\Dad\STARTM~1\Programs\Startup.\TA_Star t.lnk
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Temp\fse
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\zxdnt3d.cfg
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_FAD
((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))
2007-08-24 14:50 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 15:44 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Motive
2007-08-20 14:36 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Verizon
2007-08-18 11:22 <DIR> d-------- C:\DOCUME~1\sam\APPLIC~1\Motive
2007-08-18 11:13 <DIR> d-------- C:\DOCUME~1\sam\APPLIC~1\Verizon
2007-08-17 18:41 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Motive
2007-08-17 18:37 <DIR> d-------- C:\Program Files\PlayLinc
2007-08-17 18:33 <DIR> d-------- C:\WINDOWS\bin
2007-08-17 18:33 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Verizon
2007-08-17 18:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Verizon
2007-08-17 18:32 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-08-17 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-08-17 18:22 <DIR> d-------- C:\WINDOWS\DSL
2007-08-17 18:22 <DIR> d-------- C:\Program Files\Verizon
2007-08-15 18:31 <DIR> d-------- C:\Program Files\Dell A940
2007-08-13 14:44 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-08-12 18:02 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\MSN6
2007-08-12 18:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-07-25 22:09 <DIR> d-------- C:\DOCUME~1\TEMP\APPLIC~1\The Labyrinth Plus! Edition
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
2007-08-23 15:55 --------- d-------- C:\Program Files\ewido anti-malware
2007-08-19 17:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-19 17:12 --------- d-------- C:\Program Files\HASBRO Interactive
2007-08-19 17:09 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-19 17:09 --------- d-------- C:\Program Files\Bumper Wars
2007-08-19 17:08 --------- d-------- C:\Program Files\Yahoo!
2007-08-19 17:08 --------- d-------- C:\Program Files\Common Files\Scanner
2007-08-19 17:04 --------- d-------- C:\Program Files\AIM
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-27 18:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 18:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 18:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 18:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 17:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 17:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 17:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-23 04:57 --------- d-------- C:\Program Files\Connection Wizard
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-06 10:03 --------- d-------- C:\Program Files\Diablo II
2007-07-06 10:02 --------- d-------- C:\Program Files\Diablo
2007-06-27 10:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-29 17:38 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
The rest is on the next two posts
Joe Musser
08-24-2007, 04:12 PM
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-10 12:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-10 12:28]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 18:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 18:56 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"nwiz"="nwiz.exe" [2005-04-01 16:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 16:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"RegistryMechanic"="" []
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 19:52]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 15:20]
"svhost"="C:\WINDOWS\svhost.exe" []
"{2F-F2-20-02-ZN}"="C:\WINDOWS\SYSTEM32\lmdsrngo.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 16:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [2007-08-18 22:44]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-31 21:04:37]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
DESKTOP.INI [2002-09-03 10:00:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-04-10 12:23:45]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sy s
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-08-24 15:00:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
Completion time: 2007-08-24 15:03:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-24 15:03
--- E O F ---
Joe Musser
08-24-2007, 04:14 PM
2002-02-18 22:22 12008 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\fa d.sys.vir
2007-08-19 11:19 104 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Dad\Desktop\Intern et.lnk.vir
2007-08-19 17:06 21 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zxdnt3d.cf g.vir
2007-08-20 11:08 37888 --a------ C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-08-23 14:27 642 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Dad\STARTM~1\Progr ams\Startup\TA_Start.lnk.vir
2007-08-24 11:19 222 --a------ C:\Qoobox\Quarantine\C\Program Files\svhost\wr-1-0000077.exe.vir
2007-08-24 14:57 276 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_FAD.r eg.cf
Folder PATH listing
Volume serial number is CCC2-F202
C:\QOOBOX
\---Quarantine
+---C
| +---DOCUME~1
| | \---Dad
| | +---Desktop
| | | Internet.lnk.vir
| | |
| | \---STARTM~1
| | \---Programs
| | \---Startup
| | TA_Start.lnk.vir
| |
| +---Program Files
| | \---svhost
| | wr-1-0000077.exe.vir
| |
| \---WINDOWS
| | svhost.exe.vir
| |
| \---SYSTEM32
| | zxdnt3d.cfg.vir
| |
| \---DRIVERS
| fad.sys.vir
|
\---Registry_backups
LEGACY_FAD.reg.cf
Not sure why this log posted the way it has but I thought you might need to look at this one as well
Joe Musser
08-24-2007, 06:18 PM
Holy Crap this one took a long time I had time to go out and mow my yard and work on my Koi pond and I don't have a little yard! Well anyway here it is and thank you Budfred for all your help now and in the past it certaintly doesn't go unappriciated and if I did something in the past that was disrespectful please accept my apology J M
Scanning Report
Friday, August 24, 2007 15:24:04 - 17:07:11
Computer name: COM1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
--------------------------------------------------------------------------------
Result: 13 malware found
NetworkWorm.AJF (virus)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMP\YAZZLESNET.EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
Trojan-Downloader.Win32.Agent.brq (virus)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMP\XRUN.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.axa (virus)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMP\XPRE.EXE (Renamed & Submitted)
Trojan-Proxy.Win32.VB.x (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1251\A0586543.EXE (Renamed & Submitted)
Trojan.Win32.Pakes (virus)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\E2SGMO2C\IS68089[1].EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMP\IS68089.EXE (Renamed & Submitted)
W32/DLoader.DBPG.dropper (virus)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\1NE8J24V\SNAPSNET[1].EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMP\SNAPSNET.EXE (Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 66742
System: 5116
Not scanned: 5
Actions:
Disinfected: 1
Renamed: 5
Deleted: 0
None: 7
Submitted: 8
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\MOM\LOCAL SETTINGS\TEMP\HSPERFDATA_MOM\2404
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1341066E02D1 25B0E640B2D2FDDEC9C1_1DCE0E75-1303-433A-BFC1-6B582BD25551
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-08-24
F-Secure AVP: 7.0.171, 2007-08-24
F-Secure Orion: 1.2.37, 2007-08-24
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2007-07-19
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
Budfred
08-24-2007, 07:54 PM
I don't need the Quarantine log... Please don't post logs I don't ask for...
Run this:
http://www.atribune.org/ccount/click.php?id=1
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
If you use Firefox browser
* Click Firefox at the top and choose:Select All
* Click the Empty Selected button.
* NOTE: If you would like to keep your saved passwords, please click
* No at the prompt.
If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
* NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It looks like a lot of the garbage is gone... Please post a fresh HJT log after reboot and let me know how your computer is running...
Joe Musser
08-25-2007, 04:05 AM
Logfile of HijackThis v1.99.1
Scan saved at 3:01:46 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Dad\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.un td.com;127.0.0.1;localhost;*microsoft.com;*windows update.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*syman tec.com;*.nai.com;*.networkassociates.com;*.dir.un td.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;q s.netzero.net;*.advertising.com;<local>
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{2F-F2-20-02-ZN}] C:\WINDOWS\SYSTEM32\lmdsrngo.exe CHD003
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab[/url]
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - [url]http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
Budfred
08-25-2007, 06:08 AM
When I ask how your computer is running, it is not just idle curiosity, I need to know in order to figure out what is going on... Please respond...
Also, did you run ATF??
Please open a HJT scan and put checks by:
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{2F-F2-20-02-ZN}] C:\WINDOWS\SYSTEM32\lmdsrngo.exe CHD003
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
Close all open windows except HJT and press Fix checked...
I do not know what this is and whether it is safe, do you know what it is?? If you don't, it is a good idea to include it in the HJT fixes since it will be restored if you use it again...
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
I am not familiar with this configuration and the examples I could find were several years old... Are you intentionally using a proxy service?? If not, I suggest including this too...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.un td.com;127.0.0.1;localhost;*microsoft.com;*windows update.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*syman tec.com;*.nai.com;*.networkassociates.com;*.dir.un td.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;q s.netzero.net;*.advertising.com;<local>
If you have WinXP set to show hidden files, look for these to see if they are still there and delete them if they are:
C:\WINDOWS\svhost.exe
C:\WINDOWS\SYSTEM32\lmdsrngo.exe
Please go to Add or Remove Programs and remove all versions of Java that you find there...
Reboot and post a fresh HJT log... Let me know how these fixes went and how your computer is running...
Joe Musser
08-25-2007, 02:55 PM
the computer is running much better, I am not getting the pop ups anymore.
Yes I ran ATF, I am going now to run the HJT log and will get back to you this afternoon Thank You J M
Joe Musser
08-25-2007, 03:19 PM
ok I ran HJT and checked the boxes you said to and looked for those files, they where not there here is the latest HJT log. thanx things are running much much smoother now.
Logfile of HijackThis v1.99.1
Scan saved at 2:13:02 PM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Dad\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [{2F-F2-20-02-ZN}] C:\WINDOWS\SYSTEM32\lmdsrngo.exe CHD003
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab[/url]
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
Budfred
08-26-2007, 01:40 AM
One of those file is still showing up in your log and that means it is probably there... Download a new copy of ComboFix since it has been updated again and do this:
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\lmdsrngo.exe
Save this as ComboFix-Do.txt
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
Referring to the picture above, drag ComboFix-Do.txt into ComboFix.exe
This will produce a ComboFix log... Please post that here...
Joe Musser
08-26-2007, 05:36 AM
OK I created a notepad Doc. and copy pasted the line from the post into it and saved it like you said to, when I drag it into the new copy of combofix.exe it doesn't go there but combofix opens up and then i get a line that says
"Loading Alex\ntuser.dat was not succesful" then another line that says
"unloading hku\alex unsuccesful" then i get a dialog box that asks "are you trying to run cfscript, the name cfscript appears to be incorrectly spelt", then i get a warning that tells me that Avast has found a virus.
file name c:\combofix\c files.cf malware name win32 dadobra-ey[tri]
malware type trojan horse
vps version 000768-3,2007,8,25
Am I doing something wrong? I thought I was doing exactly what you told me to do.
Joe Musser
08-26-2007, 05:39 AM
Also I have changed from using internet explorer to Mozilla Firefox if this causes a problem with what you are doing for me i will go back to IE, I probably should have waited until we were done sorting this issue out before going to a different web browser but i think Firefox works so much better than IE
Budfred
08-26-2007, 10:53 AM
Name the file exactly what the error message said it should be named... I think my instructions must be out of date...
It would have been better to leave Firefox for later (or to have used it before you got infected) since I asked you not to install any new programs until we complete this process... However, what is done, is done... Please do NOT install anything else that is not needed to complete the fix until it is done...
classicsoftware
08-26-2007, 12:38 PM
Budfred:
I think the problem may be the name of the file. I think the file must be called:
CFScript. If you try it like that it will probably work.
Joe Musser
08-26-2007, 03:20 PM
ComboFix 07-08-25.2 - "Dad" 2007-08-26 14:07:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.617 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Mom\STARTM~1\Programs\Startup\ta_start .lnk
C:\DOCUME~1\sam\STARTM~1\Programs\Startup\ta_start .lnk
C:\DOCUME~1\sam\STARTM~1\Programs\Startup\think-adz.lnk
((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))
2007-08-25 18:02 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared
2007-08-25 18:02 <DIR> d-------- C:\Program Files\Agnitum
2007-08-25 02:47 <DIR> d-------- C:\Program Files\Common Files\Authentium
2007-08-24 14:50 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 15:44 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Motive
2007-08-20 14:36 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Verizon
2007-08-18 11:22 <DIR> d-------- C:\DOCUME~1\sam\APPLIC~1\Motive
2007-08-18 11:13 <DIR> d-------- C:\DOCUME~1\sam\APPLIC~1\Verizon
2007-08-17 18:41 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Motive
2007-08-17 18:37 <DIR> d-------- C:\Program Files\PlayLinc
2007-08-17 18:33 <DIR> d-------- C:\WINDOWS\bin
2007-08-17 18:33 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Verizon
2007-08-17 18:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Verizon
2007-08-17 18:32 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-08-17 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-08-17 18:22 <DIR> d-------- C:\WINDOWS\DSL
2007-08-17 18:22 <DIR> d-------- C:\Program Files\Verizon
2007-08-15 18:31 <DIR> d-------- C:\Program Files\Dell A940
2007-08-13 14:44 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-08-12 18:02 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\MSN6
2007-08-12 18:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
2007-08-25 02:48 --------- d-------- C:\Program Files\Common Files\Scanner
2007-08-25 02:47 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 15:55 --------- d-------- C:\Program Files\ewido anti-malware
2007-08-19 17:12 --------- d-------- C:\Program Files\HASBRO Interactive
2007-08-19 17:09 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-19 17:09 --------- d-------- C:\Program Files\Bumper Wars
2007-08-19 17:08 --------- d-------- C:\Program Files\Yahoo!
2007-08-19 17:04 --------- d-------- C:\Program Files\AIM
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-27 18:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 18:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 18:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 18:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 17:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 17:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 17:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-25 22:09 --------- d-------- C:\DOCUME~1\TEMP\APPLIC~1\The Labyrinth Plus! Edition
2007-07-23 04:57 --------- d-------- C:\Program Files\Connection Wizard
2007-07-19 23:34 --------- d-------- C:\DOCUME~1\sam\APPLIC~1\MySpace
2007-07-19 20:09 --------- d-------- C:\DOCUME~1\sam\APPLIC~1\COREL
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-06 10:03 --------- d-------- C:\Program Files\Diablo II
2007-07-06 10:02 --------- d-------- C:\Program Files\Diablo
2007-06-27 10:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-29 17:38 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
Joe Musser
08-26-2007, 03:22 PM
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-10 12:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-10 12:28]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 18:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 18:56 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"nwiz"="nwiz.exe" [2005-04-01 16:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 16:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"RegistryMechanic"="" []
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 19:52]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 15:20]
"{2F-F2-20-02-ZN}"="C:\WINDOWS\SYSTEM32\lmdsrngo.exe" []
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2002-06-14 16:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 16:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [2007-08-18 22:44]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
C:\DOCUME~1\Dad\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\DOCUME~1\Mom\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\DOCUME~1\sam\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
C:\DOCUME~1\TEMP\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
R1 VFILT;Outpost Firewall Kernel Driver;\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2 000\FILTNT.SYS
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\k ernel\ADBLOCK.DLL
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\k ernel\CONTENT.DLL
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\ kernel\DNSCACHE.DLL
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\k ernel\FTPFILT.DLL
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sy s
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\ kernel\HTMLFILT.DLL
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\ kernel\HTTPFILT.DLL
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\ kernel\IMAPFILT.DLL
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\ kernel\MAILFILT.DLL
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\ kernel\NNTPFILT.DLL
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\ kernel\POP3FILT.DLL
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\k ernel\PROTECT.DLL
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
*Newly Created Service* - ADBLOCK.DLL
*Newly Created Service* - CONTENT.DLL
*Newly Created Service* - DNSCACHE.DLL
*Newly Created Service* - FTPFILT.DLL
*Newly Created Service* - HTMLFILT.DLL
*Newly Created Service* - HTTPFILT.DLL
*Newly Created Service* - IMAPFILT.DLL
*Newly Created Service* - MAILFILT.DLL
*Newly Created Service* - NNTPFILT.DLL
*Newly Created Service* - OUTPOSTFIREWALL
*Newly Created Service* - POP3FILT.DLL
*Newly Created Service* - PROTECT.DLL
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-08-26 14:11:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
Completion time: 2007-08-26 14:12:44
C:\ComboFix-quarantined-files.txt ... 2007-08-26 14:12
C:\ComboFix2.txt ... 2007-08-24 15:03
--- E O F ---
Budfred
08-26-2007, 07:17 PM
I am not seeing anything worrisome... Please post a new HJT log to make sure that other file is gone and let me know how your system is running...
Please make sure you have only one resident program going for each type of protection program: antivirus, spyware and firewall...
Joe Musser
08-26-2007, 07:41 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:35:56 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\lexpps.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [{2F-F2-20-02-ZN}] C:\WINDOWS\SYSTEM32\lmdsrngo.exe CHD003
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab[/url]
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
Everything seems to be running quite well, what anti virus firewall and spyware do you recomend, and is using firefox better and safer that internet explorer. Any other recomandations you can make to keep things safer online would be great. I also will need to get something to keep my children safe as well but I think I may have bothered you enough for now. Many thanks for all your help, if you ever have trouble with motorcycles or cars let me know thats where I am most comfortable. J M
Budfred
08-26-2007, 10:46 PM
This entry is still showing in HJT, so see if you can fix it and post back a new HJT log...
O4 - HKLM\..\Run: [{2F-F2-20-02-ZN}] C:\WINDOWS\SYSTEM32\lmdsrngo.exe CHD003
The antivirus and firewall you are using are fine, but it looks like you may be running more than one antivirus... In addition to Avast, you have:
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
I am not entirely sure these are antivirus programs, but they look like the could be...
Also, the version of AVG Antispyware you are running is very outdated and it is unlikely it is protecting because of that... I would probably just uninstall it and use Spybot with TeaTimer enabled unless you want to pay for AVG Antispyware...
Your Java was very outdated and that is why I asked you to remove it... Now download a new copy and install it... Leave the updater on so it will alert you to update when needed... This is the normal pattern for updating it...
Updating Java:
Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Select it and click Remove.
Then Download and install the newest version from here:
http://java.sun.com/javase/downloads/index.jsp
Joe Musser
08-26-2007, 11:36 PM
OK I deleted that line you said about and downloaded the latest Java the other two lines you mentioned that look like antivirus are things that I got with the Verizon DSL can I just check those boxes in HJT or do they need to be removed some other way? You mentioned AVG spyware but I don't see it in the add remove list does it go by some other name? And here is the latest HJT log, things are still running great.
Logfile of HijackThis v1.99.1
Scan saved at 10:31:19 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\lexpps.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab[/url]
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
Budfred
08-27-2007, 12:23 AM
If you want to remove those other program that came from Verizon, I suggest checking for anything that looks like them in Add or Remove Programs... If you don't find them there, you can try to fix them in HJT, but that may not do it...
The entry we have been trying to fix is gone... It looks like you are probably clean...
The AVG Antispyware version you have is the older Ewido... It will probably be listed in Add or Remove Programs as Ewido...
Here is my prevention speech to help avoid future infection:
This is a good time to set up protection against further attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads. Using a different browser like FireFox with NoScripts is better than IE...
All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....
http://forums.spywareinfo.com/index.php?showtopic=60955
To use Firefox for more security, be sure to install the NoScripts add-on...
Joe Musser
08-27-2007, 07:46 AM
I looked for the firefox noscripts add on and I don't see it listed, they have one called yes scripts that is a list of acceptable java script but that may not be what you mean, does the add on you are refering to go under some other name
Joe Musser
08-27-2007, 07:47 AM
also why is outpost so slow, if this is how it works I feel like I am back in dial up land. Thanx J M
Budfred
08-27-2007, 09:14 AM
I looked for the firefox noscripts add on and I don't see it listed, they have one called yes scripts that is a list of acceptable java script but that may not be what you mean, does the add on you are refering to go under some other name
https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:12
I don't know what you mean about Outpost... It shouldn't be doing much of anything except being a wall... If it is using a lot of resources, I suggest dumping it and going with the free version of Kerio... If run in Simple mode, it is pretty transparent...
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.