PDA

View Full Version : Small variation on a theme



Canyoufixitdad
2006-12-31, 23:45
Hello again,

Original problem on this link.... http://forums.spybot.info/showthread.php?t=9374

Google links and favorites are still working okay, however, any 404 page not found errors are automatically redirected to a dubious search engine site.

LonnyRJones
2007-01-02, 17:11
Hello

Do post a fresh hijackthis log

Also: Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/zh/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

Canyoufixitdad
2007-01-05, 00:01
Hi Lonny,

Thanks for the reply.

Logs are as follows....

Logfile of HijackThis v1.99.1
Scan saved at 21:29:23, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

"Sean Debling" - 07-01-04 21:31:13.71 Service Pack 2
ComboFix 07-01-04W-BetaE2 - Running from: "C:\Documents and Settings\Sean Debling\Desktop\Security"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


d:\autorun.inf" . . . . failed to delete
e:\autorun.inf" . . . . failed to delete


((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))


2006-12-27 13:25 <DIR> d-------- C:\Program Files\NovaLogic
2006-12-25 09:06 <DIR> d-------- C:\Program Files\Call of Duty
2006-12-21 21:50 92,728 --------- C:\WINDOWS\system32\bass.dll
2006-12-21 21:50 <DIR> d-------- C:\Program Files\You Ripper
2006-12-20 19:44 <DIR> d-------- C:\Program Files\Electronic Arts
2006-12-13 18:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-13 18:10 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-11 23:27 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\OfficeUpdate12
2006-12-11 21:39 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-12-11 21:38 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-11 21:37 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-11 21:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-11 21:33 <DIR> d-------- C:\e17da79eb306db570881
2006-12-05 21:08 <DIR> d-------- C:\Themes


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-04 13:38 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\adobe
2007-01-02 13:45 -------- d-------- C:\Program Files\java
2006-12-29 16:11 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-12-27 13:32 -------- d--h----- C:\Program Files\installshield installation information
2006-12-11 23:47 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\officeupdate12
2006-12-11 23:39 -------- d-------- C:\Program Files\microsoft works
2006-12-10 13:33 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-10 13:33 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-07 05:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 21:20 2560 --a--c--- C:\WINDOWS\_msrstrt.exe
2006-12-05 21:18 -------- d-------- C:\Program Files\Common Files\stardock
2006-11-30 11:58 -------- d-------- C:\Program Files\quicktime
2006-11-30 11:48 -------- d-------- C:\Program Files\finepixviewer
2006-11-26 12:51 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
2006-11-26 12:48 -------- d-------- C:\Program Files\gameshadow
2006-11-26 12:45 86016 --a------ C:\WINDOWS\system32\openal32.dll
2006-11-26 12:45 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-26 12:38 -------- d-------- C:\Program Files\konami
2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll
2006-11-15 23:42 -------- d-------- C:\Program Files\ashampoo
2006-11-15 22:45 -------- d-------- C:\Program Files\Common Files\fellowes
2006-11-15 22:43 1425594 --a--c--- C:\WINDOWS\recorder.reg
2006-11-15 22:43 1065 --a------ C:\WINDOWS\newrecorder.reg
2006-11-15 22:43 -------- d-------- C:\Program Files\pinnacle
2006-11-11 22:20 -------- d-------- C:\Program Files\grisoft
2006-11-11 20:24 -------- d-------- C:\Program Files\Common Files\java
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-06 23:43 4966912 --a------ C:\WINDOWS\system32\logonuix.exe
2006-11-04 21:48 -------- d---s---- C:\Documents and Settings\Sean Debling\Application Data\microsoft
2006-11-04 15:27 -------- d-------- C:\Program Files\thq
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:54 1024 --a--c--- C:\Documents and Settings\Sean Debling\Application Data\wavcodec.wff
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 12:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Start WingMan Profiler"=""
"Steam"=""
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"CARPService"="carpserv.exe"
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AceGain LiveUpdate"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Ip6FwHlp

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe

Completion time: 07-01-04 21:43:46.17


Incidently, I've noticed a new folder called e17da79eb306db570881 that has appeared. All that is inside is a text document called msxml4-KB927978-enu that has loads and loads of writing on it. I fear it will take at least 3 of these messages to convey it all :sad: Any ideas ?

LonnyRJones
2007-01-05, 03:49
Hi

That new folder is due to a windows update

If you have any flash drives, memory cards, usb disks plug them in
Run combofix again and post its log please

Also what are your d and e drives ?
What does this "dubious search engine site" look like ?

Canyoufixitdad
2007-01-05, 15:50
D drive is DVD drive and E drive is CD-RW drive.

I've taken some screenshots to show what these sites look like.

http://img99.imageshack.us/img99/5142/404v1hu1.jpg

http://img99.imageshack.us/img99/9875/404v2ct0.jpg

http://img99.imageshack.us/img99/3107/404v3vz6.jpg

http://img69.imageshack.us/img69/6981/404v4xm8.jpg

http://img99.imageshack.us/img99/4761/404v5yb9.jpg

As you can see same sort of interface (except one) using two fictitious web addresses. I don't use any usb sticks etc. I'll run the combo tonight and post the log (on my lunch hour at the moment :red: )

Canyoufixitdad
2007-01-05, 22:46
Combo as follows.....

"Sean Debling" - 07-01-05 20:30:14.53 Service Pack 2
ComboFix 07-01-04W-BetaE2 - Running from: "C:\Documents and Settings\Sean Debling\Desktop\Security"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


d:\autorun.inf" . . . . failed to delete


((((((((((((((((((((((((((((((( Files Created from 2006-12-05 to 2007-01-05 ))))))))))))))))))))))))))))))))))


2007-01-04 23:53 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\Ashampoo Photo Commander 3
2007-01-04 23:11 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-01-04 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-01-04 23:10 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\Corel
2006-12-27 13:25 <DIR> d-------- C:\Program Files\NovaLogic
2006-12-25 09:06 <DIR> d-------- C:\Program Files\Call of Duty
2006-12-21 21:50 92,728 --------- C:\WINDOWS\system32\bass.dll
2006-12-21 21:50 <DIR> d-------- C:\Program Files\You Ripper
2006-12-20 19:44 <DIR> d-------- C:\Program Files\Electronic Arts
2006-12-13 18:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-13 18:10 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-11 23:27 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\OfficeUpdate12
2006-12-11 21:39 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-12-11 21:38 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-11 21:37 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-11 21:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-11 21:33 <DIR> d-------- C:\e17da79eb306db570881
2006-12-05 21:08 <DIR> d-------- C:\Themes


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-04 23:53 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\ashampoo photo commander 3
2007-01-04 23:48 -------- d-------- C:\Program Files\ashampoo
2007-01-04 23:20 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\corel
2007-01-04 13:38 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\adobe
2007-01-02 13:45 -------- d-------- C:\Program Files\java
2006-12-29 16:11 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-12-27 13:32 -------- d--h----- C:\Program Files\installshield installation information
2006-12-11 23:47 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\officeupdate12
2006-12-11 23:39 -------- d-------- C:\Program Files\microsoft works
2006-12-10 13:33 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-10 13:33 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-07 05:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 21:20 2560 --a--c--- C:\WINDOWS\_msrstrt.exe
2006-12-05 21:18 -------- d-------- C:\Program Files\Common Files\stardock
2006-11-30 11:58 -------- d-------- C:\Program Files\quicktime
2006-11-30 11:48 -------- d-------- C:\Program Files\finepixviewer
2006-11-26 12:51 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
2006-11-26 12:48 -------- d-------- C:\Program Files\gameshadow
2006-11-26 12:45 86016 --a------ C:\WINDOWS\system32\openal32.dll
2006-11-26 12:45 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-26 12:38 -------- d-------- C:\Program Files\konami
2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll
2006-11-15 22:45 -------- d-------- C:\Program Files\Common Files\fellowes
2006-11-15 22:43 1425594 --a--c--- C:\WINDOWS\recorder.reg
2006-11-15 22:43 1065 --a------ C:\WINDOWS\newrecorder.reg
2006-11-15 22:43 -------- d-------- C:\Program Files\pinnacle
2006-11-11 22:20 -------- d-------- C:\Program Files\grisoft
2006-11-11 20:24 -------- d-------- C:\Program Files\Common Files\java
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-06 23:43 4966912 --a------ C:\WINDOWS\system32\logonuix.exe
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:54 1024 --a--c--- C:\Documents and Settings\Sean Debling\Application Data\wavcodec.wff
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 12:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Start WingMan Profiler"=""
"Steam"=""
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"CARPService"="carpserv.exe"
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AceGain LiveUpdate"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Ip6FwHlp

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe

Completion time: 07-01-05 20:42:29.67

LonnyRJones
2007-01-06, 01:36
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

Canyoufixitdad
2007-01-07, 04:15
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Start WingMan Profiler" = "(empty string)" [file not found]
"Steam" = "(empty string)" [file not found]
"tunebite.exe" = "C:\Program Files\tunebite\tunebite.exe -hidden" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PtiuPbmd" = "Rundll32.exe ptipbm.dll,SetWriteBack" [MS]
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe" [empty string]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"GSICONEXE" = "GSICON.EXE" ["Fujitsu, Inc."]
"DSLAGENTEXE" = "dslagent.exe USB" [null data]
"Ptipbmf" = "rundll32.exe ptipbmf.dll,SetWriteCacheMode" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"AceGain LiveUpdate" = "C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe" [null data]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"EPSON Stylus Photo R300 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"" ["SEIKO EPSON CORPORATION"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"OpwareSE2" = ""C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" ["ScanSoft, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
-> {HKLM...CLSID} = "CD Copy Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
-> {HKLM...CLSID} = "CD Wizard Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension"
-> {HKLM...CLSID} = "InstantWrite Shellextension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\iwshex.dll" ["VOB Computersysteme GmbH"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{C1728FC8-0162-4827-85B0-8420B5B20263}" = "All Converter"
-> {HKLM...CLSID} = "All Converter"
\InProcServer32\(Default) = "C:\Program Files\All Converter\CMExt.dll" [file not found]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\WINDVD Capture\cap002.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Sean Debling\My Documents\My Pictures\WINDVD Capture\cap002.bmp"


Startup items in "Sean Debling" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\Sean Debling\Start Menu\Programs\Startup
"Registration-INSDVD" -> shortcut to: "C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe INSDVD,INSDVD,register,EN,0,serial=ABDPG-AAUAC-NQUDN-QAPIA-HDRPA" [file not found]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
FTP Publishing, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 202 seconds.
---------- (total run time: 256 seconds)

LonnyRJones
2007-01-07, 13:53
Odd case.

You had I think ran fixwareout prior to your first post in the other thread,
lets run it again.
Redownload becouse it is changed.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

A Panda online scan might help to
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.

Canyoufixitdad
2007-01-07, 18:29
Fixwareout
Last edited 1/1/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
»»»»» System restarted
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "dpid"
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

Logfile of HijackThis v1.99.1
Scan saved at 14:34:32, on 07/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Incident Status Location

Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adrevolver[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@doubleclick[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@xiti[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@112.2o7[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@advertising[2].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@adviva[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@com[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@questionmarket[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@statse.webtrendslive[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@112.2o7[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@adtech[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@com[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@findwhat[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@hotlog[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@serving-sys[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@spylog[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@tribalfusion[1].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\backups\backup-20060615-122223-938-PowerReg Scheduler.exe

LonnyRJones
2007-01-08, 02:53
See if using the reset web settings button helps
It is in Internet explorer options programs tab, Not sure about ie7, it will be in a similur location.

Did you install a hosts file ?
http://www.mvps.org/winhelp2002/hosts2.htm

Canyoufixitdad
2007-01-09, 00:55
I've reset IE settings and installed the MVP Host file but alas it 404 still goes to those blasted site.... persistant little devil this one :mad:

LonnyRJones
2007-01-09, 09:22
Lets see what dlls are loaded
Wait until you see that error page
Start Hijackthis click config > misc tools >Open process manager
Hilight internet explorer (C:\Program Files\Internet Explorer\iexplore.exe)
put a check next to show dll's
click the save icon (floppy), save the list to somewhere handy and post that
Then do the same while explorer.exe is hilighted

Canyoufixitdad
2007-01-10, 15:41
Internet Exp dll's....

Process list saved on 13:36:20, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
676 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
760 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
804 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
816 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
960 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1056 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1192 C:\WINDOWS\system32\ZoneLabs\vsmon.exe 6.5.737.0 Zone Labs, LLC
1568 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1632 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1760 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.0.47 Anti-Malware Development a.s.
1776 C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe 7.1.0.365 GRISOFT, s.r.o.
1808 C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe 7.1.0.349 GRISOFT, s.r.o.
1864 C:\WINDOWS\System32\inetsrv\inetinfo.exe 5.1.2600.2180 Microsoft Corporation
1900 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 7.0.9466.0 Microsoft Corporation
1956 C:\WINDOWS\system32\nvsvc32.exe 6.14.10.8421 NVIDIA Corporation
2012 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2016 C:\WINDOWS\system32\carpserv.exe 1.0.0.1 Conexant Systems
2056 C:\WINDOWS\system32\GSICON.EXE 3.1.0.0 Fujitsu, Inc.
2068 C:\WINDOWS\system32\dslagent.exe
2092 C:\Program Files\QuickTime\qttask.exe 6.5.0.48 Apple Computer, Inc.
2148 C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe 1.0.0.1
2200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE 3.0.0.0 SEIKO EPSON CORPORATION
2500 C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe 7.1.0.406 GRISOFT, s.r.o.
2508 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe 12.0.0.1 ScanSoft, Inc.
2548 C:\Program Files\AceGain\LiveUpdate\aceagent.exe
2560 C:\WINDOWS\system32\RUNDLL32.EXE 5.1.2600.2180 Microsoft Corporation
2568 C:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3760 RealNetworks, Inc.
2580 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe 5.0.100.3 Sun Microsystems, Inc.
2588 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 6.5.737.0 Zone Labs, LLC
2604 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
2672 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe 7.0.0.0 Adobe Systems Incorporated
2688 C:\Program Files\FinePixViewer\QuickDCF.exe 3.0.0.0 FUJI PHOTO FILM CO., LTD.
2700 C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe 1.7.1.0 InterVideo Inc.
3160 C:\Program Files\internet explorer\iexplore.exe 7.0.5730.11 Microsoft Corporation
3340 C:\WINDOWS\system32\wuauclt.exe 5.8.0.2469 Microsoft Corporation
3452 C:\WINDOWS\system32\wuauclt.exe 5.8.0.2469 Microsoft Corporation
3932 C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.


DLLs loaded by process C:\Program Files\internet explorer\iexplore.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2945 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.2995 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2951 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 Microsoft Corporation
C:\WINDOWS\system32\urlmon.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\iertutil.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\IEFRAME.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\ScanSoft\OmniPageSE2.0\ophookSE2.dll 12.0.0.1 ScanSoft, Inc.
C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IEUI.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 Microsoft Corporation
C:\WINDOWS\system32\xmllite.dll 1.0.1018.0 Microsoft Corporation
C:\WINDOWS\system32\apphelp.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 Microsoft Corporation
C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
C:\WINDOWS\System32\msimtf.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\mslbui.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510.0 Microsoft Corporation
C:\WINDOWS\ime\sptip.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\OLEACC.dll 4.2.5406.0 Microsoft Corporation
C:\WINDOWS\system32\MSVCP60.dll 6.2.3104.0 Microsoft Corporation
C:\WINDOWS\IME\SPGRMR.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Microsoft Corporation
C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL 1.0.1038.0 Microsoft Corporation
C:\Program Files\Internet Explorer\ieproxy.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 Microsoft Corporation
C:\WINDOWS\system32\WININET.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 Microsoft Corporation
C:\WINDOWS\system32\MLANG.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\ws2_32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 7.0.0.1333 Adobe Systems Incorporated
C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 Microsoft Corporation
C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1.4.0.0 Safer Networking Limited
C:\WINDOWS\system32\olepro32.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll 5.0.100.3 Sun Microsystems, Inc.
C:\WINDOWS\system32\MSRATING.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\mswsock.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 Microsoft Corporation
C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\serwvdrv.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\umdmxfrm.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 Microsoft Corporation
C:\WINDOWS\system32\actxprxy.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2938 Microsoft Corporation
C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2938 Microsoft Corporation
C:\WINDOWS\system32\mshtml.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\msls31.dll 3.10.349.0 Microsoft Corporation
C:\WINDOWS\system32\ieapfltr.dll 7.0.5824.16386 Microsoft Corporation
C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\jscript.dll 5.7.0.5730 Microsoft Corporation
C:\WINDOWS\system32\iepeers.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\mshtmled.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\Dxtrans.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\WINDOWS\System32\ddrawex.dll 5.3.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\DDRAW.dll 5.3.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\DCIMAN32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msfeeds.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\msxml3.dll 8.70.1113.0 Microsoft Corporation
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 7.0.0.0 Adobe Systems, Inc.
C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\schannel.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USP10.dll 1.420.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\dssenh.dll 5.1.2600.2133 Microsoft Corporation
C:\WINDOWS\system32\Dxtmsft.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\mscms.dll 5.1.2600.2709 Microsoft Corporation
C:\WINDOWS\system32\ImgUtil.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\pngfilt.dll 7.0.5730.11 Microsoft Corporation

Canyoufixitdad
2007-01-10, 15:42
Explorer dll's....

Process list saved on 13:38:02, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
676 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
760 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
804 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
816 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
960 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1056 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1192 C:\WINDOWS\system32\ZoneLabs\vsmon.exe 6.5.737.0 Zone Labs, LLC
1568 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1632 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1760 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.0.47 Anti-Malware Development a.s.
1776 C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe 7.1.0.365 GRISOFT, s.r.o.
1808 C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe 7.1.0.349 GRISOFT, s.r.o.
1864 C:\WINDOWS\System32\inetsrv\inetinfo.exe 5.1.2600.2180 Microsoft Corporation
1900 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 7.0.9466.0 Microsoft Corporation
1956 C:\WINDOWS\system32\nvsvc32.exe 6.14.10.8421 NVIDIA Corporation
2012 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2016 C:\WINDOWS\system32\carpserv.exe 1.0.0.1 Conexant Systems
2056 C:\WINDOWS\system32\GSICON.EXE 3.1.0.0 Fujitsu, Inc.
2068 C:\WINDOWS\system32\dslagent.exe
2092 C:\Program Files\QuickTime\qttask.exe 6.5.0.48 Apple Computer, Inc.
2148 C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe 1.0.0.1
2200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE 3.0.0.0 SEIKO EPSON CORPORATION
2500 C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe 7.1.0.406 GRISOFT, s.r.o.
2508 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe 12.0.0.1 ScanSoft, Inc.
2548 C:\Program Files\AceGain\LiveUpdate\aceagent.exe
2560 C:\WINDOWS\system32\RUNDLL32.EXE 5.1.2600.2180 Microsoft Corporation
2568 C:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3760 RealNetworks, Inc.
2580 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe 5.0.100.3 Sun Microsystems, Inc.
2588 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 6.5.737.0 Zone Labs, LLC
2604 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
2688 C:\Program Files\FinePixViewer\QuickDCF.exe 3.0.0.0 FUJI PHOTO FILM CO., LTD.
2700 C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe 1.7.1.0 InterVideo Inc.
3160 C:\Program Files\internet explorer\iexplore.exe 7.0.5730.11 Microsoft Corporation
3452 C:\WINDOWS\system32\wuauclt.exe 5.8.0.2469 Microsoft Corporation
376 C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.


DLLs loaded by process C:\WINDOWS\Explorer.EXE:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2945 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.2995 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2951 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\BROWSEUI.dll 6.0.2900.2995 Microsoft Corporation
C:\WINDOWS\system32\SHDOCVW.dll 6.0.2900.2987 Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 Microsoft Corporation
C:\WINDOWS\system32\WININET.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 Microsoft Corporation
C:\WINDOWS\system32\iertutil.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\serwvdrv.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\umdmxfrm.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 Microsoft Corporation
C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\themeui.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\System32\Secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\actxprxy.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\System32\msutb.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\MSCTF.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ieframe.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\urlmon.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\credui.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 Microsoft Corporation
C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\webcheck.dll 7.0.5730.11 Microsoft Corporation
C:\WINDOWS\System32\stobject.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\BatMeter.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\System32\POWRPROF.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2751 Microsoft Corporation
C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Microsoft Corporation
C:\Program Files\ScanSoft\OmniPageSE2.0\ophookSE2.dll 12.0.0.1 ScanSoft, Inc.
C:\WINDOWS\system32\mslbui.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
C:\WINDOWS\system32\browselc.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\MLANG.dll 6.0.2900.2180 Microsoft Corporation
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 7.0.0.1333 Adobe Systems Incorporated
C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 Microsoft Corporation
C:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 Microsoft Corporation
C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\fxsst.dll 5.2.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\FXSAPI.dll 5.2.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RASDLG.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\adsldpc.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll 7.5.0.47 Anti-Malware Development a.s.
C:\WINDOWS\system32\shdoclc.dll 6.0.2900.2180 Microsoft Corporation
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 7.0.0.0 Adobe Systems, Inc.
C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1.4.0.0 Safer Networking Limited
C:\WINDOWS\system32\olepro32.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510.0 Microsoft Corporation
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1.0.0 WinZip Computing, Inc.
C:\Program Files\Grisoft\AVG Free\avgse.dll 7.1.0.354 GRISOFT, s.r.o.
C:\WINDOWS\system32\MSVCP71.dll 7.10.3077.0 Microsoft Corporation
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll 7.5.0.49 Anti-Malware Development a.s.

LonnyRJones
2007-01-11, 13:20
Im still not seeing anything out of place.
Lets try this
Close all browsers
Start >Run then type cmd and click ok
type
ipconfig /release
press enter, type
ipconfig /renew
press enter, type
ipconfig /flushdns
press enter, type
ipconfig /registerdns
press enter

Now try a none existant page and see if theres a problem, such as
http://www.google.comx/

Canyoufixitdad
2007-01-12, 01:18
I closed my browser but stayed connected to the internet. I started the mdos screen and typed the first command but it came up with the error

"Windows IP Configuration

No operation can be performed on Local Area Connection while it has it's media disconnected"

I tried the second command and again the same error, however, I managed to flush the DNS and register the DNS resource records as in the last command. But I'm afraid that the 404 problem is still there. Some of my icons have changed though. For instance, the MSN homepage has the History Channel 'H', Google has a red and blue round blob and this website has a rainbow type icon. Not sure if it's related to this problem but thought I would mention it. Below is a link to a screenshot.

http://img165.imageshack.us/img165/7615/imagemg5.jpg

LonnyRJones
2007-01-12, 04:42
Did you unplug something before trying those commands ?
what type of connection do you have ? wireless ?
Is it a networed pc ?
Do you use a router ?

Same errors if you leave a browser running ?
In control panel >network connectios rightclick on local area connection and choose repair, any errors ?
are any connections bridged ?

Canyoufixitdad
2007-01-13, 14:42
Nothing was unplugged. I have an adsl modem but not a wireless connection and not through a router, just an ol' fashioned cable from pc to modem to telephone socket. I am not networked either.

Same results occur with browser running.

When I right click Local Area conn the option to repair is not available. The following is a picture link of the options and connections I have.

http://img152.imageshack.us/img152/715/connectionssc8.jpg

LonnyRJones
2007-01-13, 15:10
Try the repair option on the other two please, reboot then see if you still see the error redirects.

If still no luck you could use WinSockFix
http://www.majorgeeks.com/WinSock_XP_Fix_d4372.html
You might have to go threw setting up your internet connection again

Keep us informed

Canyoufixitdad
2007-01-13, 15:36
Repair option not available for dial-up, doesn't even show up. Repair for 1394 connection chosen but came up with error ".....TCP/IP not enabled for this connection. Cannot proceed......". On choosing options however, there is a tick in the "Internet Protocol (TCP/IP) box. Local Area connex repair option still grayed out.

D/loaded Winsock and chose "FIX". Rebooted and no change to report of the problem.

I'm sorry for all this inconveniance Lonny :banghead:

LonnyRJones
2007-01-13, 15:39
Curiuos what is this connection for 1394 ?

PS: no inconveniance :)

Canyoufixitdad
2007-01-14, 01:03
Sorry Lonny I'm not sure. Bit above my techinical now-how. Even this stuff we are doing here feels "cutting-edge" to me. All I know is that it's a built in firewire connector. Something to do with video input ? IEEE1394 host controller according to the manufacturers website :scratch:

LonnyRJones
2007-01-14, 05:20
What manufacturer is that ?
Found more on IEEE1394 devices
http://www.microsoft.com/windowsxp/using/moviemaker/expert/bridgman_02march25.mspx

In network connections rightclick > properties on each that are listed there one at a time >properties >Hilight Internet protocol (tcp/ip) if its there hit properties again then on that first page (general) what do you see ?

Canyoufixitdad
2007-01-14, 23:59
VIA OHCI Compliant IEEE 1394 Host Controller

http://www.via.com.tw/en/index.jsp

1394 General Properties

Obtain an IP address automatically.
Obtain DNS server address automatically.

Local Area Connection 3Com Gigabit LOM (3C940)

Same settings as above

Fujitsu Dial Up ASDL Modem

Properties > Networking > TCP/IP Properties

Obtain an IP address automatically
Use the following DNS Server addresses:

Preferred DNS Server **:***:***:***
Alternate DNS Server **:***:***:***

If you require these IP's let me know and I'll PM them to you.

LonnyRJones
2007-01-15, 07:58
Fujitsu Dial Up ASDL Modem
Properties > Networking > TCP/IP Properties
Use the following DNS Server addresses:
write those down then set it to "Obtain dns server automaticly"

Reboot and see if theres still a problem.

Canyoufixitdad
2007-01-15, 23:42
Aha..... success !!

"Internet Explorer cannot display the webpage... yada yada yada "

Thank you very much Lonny for your patience and for solving this pesky problem. Now my kids can do their homework without me having to babysit them in case they spell an address wrong and take it to that blasted website.

How the heck did those ip's get there :scratch:

LonnyRJones
2007-01-16, 09:12
Fantastic

Normaly that would have shown in your Hijackthis logs or winsockfix should have helped, it was a leftover from the wareout/dns hijack.

Surf safe