Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spyware.isearch, Error Safe, & Winfixer (and More, I Think)


  • Please log in to reply
25 replies to this topic

#1 lmvierra

lmvierra

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 25 July 2007 - 05:32 PM

I'm getting a lot of pop ups and redirects when on the internet. I have run my Symantec Anti Virus, and followed all the steps listed on your site to no avail. I have tried following instructions from other posts, as well as the removal instrucions on the Symantec web site but nothing will get rid of these programs. None of the programs on my computer are detecting any of the programs, but when I run the virus scan off of the symantec website it finds them. When trying to run "Hijack This" an error message kept popping up when I selected scan and save, but I was able to bypass it by scanning only, then saving. When I try to access this forum on the infected computer it shuts down the internet explorer so I had to save the file, and post from another location... Please help!!! I'm at my wits end :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:45 PM, on 7/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
c:\_integra\bin\shstart.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\msdtc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Home Depot
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\winnt\system32\tfonmqlg.dll",forkonce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\sat3\LOCALS~1\Temp\{B6ABFCBD-FBA7-46D5-9610-2BE38D83AA00}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://winantivirus.com/download/2007/down...9850f72efaffda7
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html

--
End of file - 6942 bytes

BC AdBot (Login to Remove)

 


m

#2 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:05:57 AM

Posted 02 August 2007 - 12:32 AM

Hello lmvierra

I will be helping you with your problems.

Please right click on Hijackthis.exe located here:

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Select rename and rename it to reveal.exe

Post the contents of the resultant log in your next reply.

Demon Cleaner

#3 lmvierra

lmvierra
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 03 August 2007 - 10:22 AM

Thank you soooo much for your help... Renaming it allowed me to run the program, but my computer still disconnects from the internet when I try to post the results of the log on this site....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:05 AM, on 8/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
c:\_integra\bin\shstart.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\HijackThis\REVEAL.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Home Depot
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - (no file)
O2 - BHO: (no name) - {C7361258-27F3-4903-A2C4-4FAF9FEB6021} - C:\winnt\system32\mllml.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\winnt\system32\tfonmqlg.dll",forkonce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\sat3\LOCALS~1\Temp\{B6ABFCBD-FBA7-46D5-9610-2BE38D83AA00}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://winantivirus.com/download/2007/down...9850f72efaffda7
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O20 - Winlogon Notify: awtssqq - awtssqq.dll (file missing)
O20 - Winlogon Notify: mllml - C:\winnt\system32\mllml.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html
--
End of file - 7441 bytes

#4 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:05:57 AM

Posted 05 August 2007 - 02:30 PM

Hello again lmvierra

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


1. Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

2. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

#5 lmvierra

lmvierra
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 13 August 2007 - 11:24 AM

Hi! Sorry about the delay...

When I ran vundo fix, it gave me an error message: "C:\VindoFix.reg: Error opening the file. There may be a disk or file system error". It still created a log though, so here it is:

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.2
Old versions of java are exploitable and should be removed.

Scan started at 9:01:02 AM 8/13/2007

Listing files found while scanning....

C:\winnt\system32\lmllm.bak1
C:\winnt\system32\lmllm.bak2
C:\winnt\system32\lmllm.ini
C:\winnt\system32\mllml.dll
C:\winnt\system32\tfonmqlg.dll

Beginning removal...

Attempting to delete C:\winnt\system32\lmllm.bak1
C:\winnt\system32\lmllm.bak1 Has been deleted!

Attempting to delete C:\winnt\system32\lmllm.bak2
C:\winnt\system32\lmllm.bak2 Has been deleted!

Attempting to delete C:\winnt\system32\lmllm.ini
C:\winnt\system32\lmllm.ini Has been deleted!

Attempting to delete C:\winnt\system32\mllml.dll
C:\winnt\system32\mllml.dll Has been deleted!

Attempting to delete C:\winnt\system32\tfonmqlg.dll
C:\winnt\system32\tfonmqlg.dll Has been deleted!

Performing Repairs to the registry.
Done!


And the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:34 AM, on 8/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
c:\_integra\bin\shstart.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\winnt\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\REVEAL.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Home Depot
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C7361258-27F3-4903-A2C4-4FAF9FEB6021} - C:\winnt\system32\mllml.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\sat3\LOCALS~1\Temp\{B6ABFCBD-FBA7-46D5-9610-2BE38D83AA00}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O20 - Winlogon Notify: awtssqq - awtssqq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html

--
End of file - 7203 bytes

Also, it still shuts down internet explorer when I try to post from the infected computer... Thanks again for all your help!

Lynn

#6 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:05:57 AM

Posted 15 August 2007 - 10:55 AM

Hello again lmvierra

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\winnt\system32\ctfmon.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

2. Start HijackThis and click the Scan button to perform a scan. Once the scan has completed look for the following item/s and click in the checkbox in front of each item to select it (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {C7361258-27F3-4903-A2C4-4FAF9FEB6021} - C:\winnt\system32\mllml.dll (file missing)

O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\sat3\LOCALS~1\Temp\{B6ABFCBD-FBA7-46D5-9610-2BE38D83AA00}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O20 - Winlogon Notify: awtssqq - awtssqq.dll (file missing)


3. Next close all open windows apart from hjt and click fix checked and then exit the program.

4. Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

5. Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

6. Navigate to C:\Program Files\Accessories and delete the following file (if present):

rteqehdabewu.html

7. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
8. Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
9. After reboot, post the contents of the log from Dr.Web in your next reply (You can use Notepad to open the DrWeb.cvs report) along with the jotti scan result and a fresh Hijackthis log.

#7 lmvierra

lmvierra
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 20 August 2007 - 12:05 PM

Hi again... I followed your instructions, but ran into some errors with some of them....

1. Jotti Scan Results:

Service load: 0%


100%


File: CTFMON.EXE
Status: OK
MD5: d36a33c21eeed5a6c1daecb7c80a1909
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 20 Aug 2007 16:44:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Statistics
Last file scanned at least one scanner reported something about: dBpowerAMP-codec-ogg.exe (MD5: 7719af7f8d89ca88068318b328407e76, size: 422630 bytes), detected by:
Scanner
Malware name

A-Squared
X

AntiVir
X

ArcaVir
X

Avast
Win32:Agent-AXG

AVG Antivirus
X

BitDefender
X

ClamAV
X

CPsecure
X

Dr.Web
X

F-Prot Antivirus
X

F-Secure Anti-Virus
X

Fortinet
X

Kaspersky Anti-Virus
X

NOD32
X

Norman Virus Control
X

Panda Antivirus
X

Rising Antivirus
X

Sophos Antivirus
X

VirusBuster
X

VBA32
X



You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.




5. When I changed display properties to say only "my current home page" a page that says web page unavailable takes up 3/4 of the desktop screen...



7. When I tried to remove the older Java versions, I ran into some problems. I was able to remove 1 version, but when I tried to remove the second (Java 2 Runtime Environment, SE v1.4.2_02), I was given the error message: "The windows installer service could not be accessed. Contact your support personnel to verify that the windows installer service is properly registered". I tried several times, and got the same message. I then tried to install the new version, and was given the message "Windows installer service could not be accessed. This can occur if you are running windows in safe mode, or windows installer is not correctly installed".


8. DrWeb found nothing, so no report list was generated....


9. Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:41 AM, on 8/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
c:\_integra\bin\shstart.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\HijackThis\REVEAL.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Home Depot
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html

--
End of file - 6364 bytes


Also, since these problems began, I've been getting messages whenever I reboot my computer that I have no paging file,, or the pagin file is too small, and also that I'm low on virtual memory (don't know if this is related to viruses).

My computer still shuts down the internet explorer when I try to post from the infected computer. Today I tried the "debug" button, and it said: The instruction at "0x70cb8545" referenced memory at "0x00000000" . The memory could not be "read".

Thanks again for all your help!!!!

#8 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:05:57 AM

Posted 21 August 2007 - 10:15 PM

Hello lmvierra


Please download Combofix and save it to your desktop.

Now disconnect/physically unplug from the internet!

Click on START, then Run. Copy the bold text below and paste it into the Run box and click OK:

"%userprofile%\desktop\ComboFix.exe" /KillAll

Allow ComboFix to run to completion.
Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done. After you have saved the log, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

Reconnect to the internet

Post the following logs/Reports:

* ComboFix.txt
* Fresh HijackThis log

#9 lmvierra

lmvierra
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 24 August 2007 - 11:56 AM

Ran the programs as directed....

Combo Fix:

ComboFix 07-08-17.2 - "sat3" 2007-08-24 9:33:42.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.294 [GMT
-4:00]
Command switches used :: /KillAll


((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24
)))))))))))))))))))))))))))))))


2007-08-24 09:33 16,384 --a----t-
C:\WINNT\system32\Perflib_Perfdata_2e8.dat
2007-08-24 09:10 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-20 08:45 <DIR> d-------- C:\DOCUME~1\sat3\DoctorWeb
2007-08-13 09:01 <DIR> d-------- C:\VundoFix Backups
2007-07-25 15:25 20,971,520 C:\WINNT\system32\temppf.sys
2007-07-25 08:57 <DIR> d-------- C:\WINNT\SoftwareDistribution
2007-07-24 16:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 16:45 83,096 --a------ C:\WINNT\system32\SSSensor.dll
2007-07-24 16:45 60,496 --a------ C:\WINNT\system32\drivers\Teefer.sys
2007-07-24 16:45 21,075 --a------
C:\WINNT\system32\drivers\wpsdrvnt.sys
2007-07-24 16:45 14,568 --a------ C:\WINNT\system32\drivers\wg6n.sys
2007-07-24 16:45 14,568 --a------ C:\WINNT\system32\drivers\wg5n.sys
2007-07-24 16:45 14,568 --a------ C:\WINNT\system32\drivers\wg4n.sys
2007-07-24 16:45 14,568 --a------ C:\WINNT\system32\drivers\wg3n.sys
2007-07-24 16:44 <DIR> d-------- C:\Program Files\Sygate
2007-07-24 13:35 10,872 --a------
C:\WINNT\system32\drivers\AvgAsCln.sys
2007-07-24 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot -
Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-14 13:49 28672 --a------ C:\winnt\system32\drivers\CO_Mon.sys
07-07-25 15:12 --------- d-------- C:\Program Files\Common
Files\InstallShield
07-07-23 11:14 806 --a------ C:\winnt\system32\drivers\SYMEVENT.INF
07-07-23 11:14 8014 --a------ C:\winnt\system32\drivers\SYMEVENT.CAT
07-07-23 11:14 48776 --a--c--- C:\winnt\system32\S32EVNT1.DLL
07-07-23 11:14 115000 --a--c--- C:\winnt\system32\drivers\SYMEVENT.SYS
07-07-23 11:14 --------- d-------- C:\Program Files\Symantec
07-07-23 07:58 --------- d-------- C:\Program Files\Common
Files\Symantec Shared
07-07-19 12:37 --------- d-------- C:\Program Files\Accessories
07-07-19 10:11 --------- d-------- C:\Program Files\Lavasoft
07-07-19 10:10 --------- d-------- C:\Program Files\Common Files\Wise
Installation Wizard
07-07-19 09:43 --------- d-------- C:\Program Files\Yahoo!
07-07-18 14:14 --------- d-------- C:\Program Files\CCleaner
07-07-18 09:18 --------- d-a------ C:\DOCUME~1\sat3\APPLIC~1\Help
06-01-23 15:55 271 ---h----- C:\Program Files\desktop.ini
06-01-23 15:55 21952 ---h-c--- C:\Program Files\folder.htt
03-06-20 03:00 32528 --a------ C:\winnt\inf\wbfirdma.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 03:00
C:\WINNT\system32\mobsync.exe]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [04-08-10 04:55 ]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [04-08-10 04:53 ]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator
6\DragToDisc\DrgToDsc.exe" [04-01-09 17:01 ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [04-02-12 13:49 ]
"NDPS"="C:\winnt\system32\dpmw32.exe" [04-05-17 14:27 ]
"NWTRAY"="NWTRAY.EXE" [02-03-12 10:37 C:\WINNT\system32\nwtray.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\avgas.exe" [07-06-11 05:25 ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [04-10-15 19:40 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09
C:\WINNT\system32\CTFMON.EXE]
"updateMgr"="C:\Program Files\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe" [06-03-30 17:45 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection
Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE [1997-07-11 01:00:00]
Microsoft Office.lnk - C:\Program Files\Microsoft
Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE
[1997-07-11 01:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet
explorer\desktop\components\0]
Source= C:\Program Files\Accessories\rteqehdabewu.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"=
C:\winnt\system32\NalExpEx.dll [00-02-16 22:33 131072]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R0 NICM;Novell InterService Communication
Driver;C:\winnt\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path
Filter;C:\winnt\system32\NetWare\nwfilter.sys
R1 cdudf;cdudf;C:\winnt\system32\drivers\cdudf.sys
R1 pwd_2k;pwd_2k;C:\winnt\system32\drivers\pwd_2k.sys
R1 UdfReadr;UdfReadr;C:\winnt\system32\drivers\UdfReadr.sys
R2 NetwareWorkstation;Novell Client for
Windows;C:\winnt\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform
Client;C:\winnt\system32\NetWare\nwdhcp.sys
R2 RESMGR;Novell NetWare Resource
Manager;C:\winnt\system32\NetWare\resmgr.sys
R2 smefs;SMEFileSystem;C:\winnt\system32\drivers\smefs.sys
R2 SRVLOC;Novell Service Location;C:\winnt\system32\NetWare\srvloc.sys
R3 mmc_2K;mmc_2K;C:\winnt\system32\drivers\mmc_2K.sys
R3 NWDNS;Novell DNS Name Space Service
Provider;C:\winnt\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service
Provider;C:\winnt\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service
Provider;C:\winnt\system32\NetWare\nwslp.sys
R3 smedrv;SMEDriver;C:\winnt\system32\drivers\smedrv.sys
R3 usbhub20;USB 2.0 Root Hub
Support;C:\winnt\system32\DRIVERS\usbhub20.sys
S2 NWSIPX32;Novell NetWare IPX/SPX Transport
Interface;C:\winnt\system32\NetWare\nwsipx32.sys
S3 cusrvc;Client Update Service for Novell;C:\winnt\system32\cusrvc.exe
S3 dvd_2K;dvd_2K;C:\winnt\system32\drivers\dvd_2K.sys
S3 NWSAP;Novell SAP Name Space
Provider;C:\winnt\system32\NetWare\NWSAP.sys
S3 NWSNS;Novell Simple Naming
Services;C:\winnt\system32\NetWare\NWSNS.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2007-08-24 09:34:41
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\ComboFix\sed.cfexe [1612] 0x81697600


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-24 9:35:13
C:\ComboFix-quarantined-files.txt ... 07-08-24 09:35

--- E O F ---


Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:19 AM, on 8/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\HijackThis\REVEAL.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html

--
End of file - 6200 bytes

I still can't post from the infected computer... Thanks!!!

#10 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:05:57 AM

Posted 28 August 2007 - 05:55 PM

Hello again lmvierra

1. Download and install Mozilla Firefox web browser. As well as being faster and more secure, this should enable you to post back here off of your computer.

2. Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Next go to Preferences, then the Repairs tab. Click to select Reset Desktop Components, then hold down the Ctrl key and click to also select Reset Desktop Policies and then click Perform Repair.
3. Next download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
4. So in your next reply using Firefox:
  • Post the SuperAntispyware results
  • Confirm resetting of desktop components
  • Post the two DSS logs


#11 lmvierra

lmvierra
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 29 August 2007 - 11:15 AM

Hi again!

I downloaded Mozilla & am able to post from the computer....

2. When I tried to install the SUPERAntiSpyware, I got an error message: "The Windows Installer Service could not be accessed. This can occur if you are running windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance"

3. Deckard's System Scanner results:

Deckard's System Scanner v20070826.66
Run by sat3 on 2007-08-29 08:55:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as sat3.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:18 AM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\winnt\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\sat3\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\sat3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html

--
End of file - 6122 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070820-081055-626 O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\sat3\LOCALS~1\Temp\{B6ABFCBD-FBA7-46D5-9610-2BE38D83AA00}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
backup-20070820-081055-835 O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
backup-20070820-081055-846 O2 - BHO: (no name) - {C7361258-27F3-4903-A2C4-4FAF9FEB6021} - (no file)
backup-20070820-081055-910 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
backup-20070820-081055-929 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20070820-081055-931 O20 - Winlogon Notify: awtssqq - awtssqq.dll (file missing)

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - NOTEDAD.EXE %1
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.ini - inifile - shell\open\command - notepad.exe %1
.js - JSFile - DefaultIcon - C:\winnt\system32\WScript.exe,3
.js - JSFile - shell\open\command - C:\winnt\system32\WScript.exe "%1" %*
.reg - regfile - shell\edit\command - NOTEDAD.EXE %1
.txt - txtfile - shell\open\command - notepad.exe %1
.vbs - VBSFile - DefaultIcon - C:\winnt\system32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\winnt\system32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\winnt\system32\Notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\winnt\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\winnt\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R0 Teefer (Teefer for NT) - c:\winnt\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\winnt\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 NetwareWorkstation (Novell Client for Windows) - c:\winnt\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:\winnt\system32\netware\nwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 RESMGR (Novell NetWare Resource Manager) - c:\winnt\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 smefs (SMEFileSystem) - c:\winnt\system32\drivers\smefs.sys <Not Verified; On Technology; On Command CCM>
R2 SRVLOC (Novell Service Location) - c:\winnt\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\winnt\system32\netware\nwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\winnt\system32\netware\nwhost.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\winnt\system32\netware\nwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSNS (Novell Simple Naming Services) - c:\winnt\system32\netware\nwsns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 smedrv (SMEDriver) - c:\winnt\system32\drivers\smedrv.sys <Not Verified; On Technology; On Command CCM>

S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\winnt\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\winnt\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\winnt\system32\drivers\awrtpd.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\winnt\system32\drivers\awrtrd.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
S3 catchme - c:\documents and settings\sat3\local settings\temp\catchme.sys (file missing)
S3 CO_Mon - c:\winnt\system32\drivers\co_mon.sys
S3 NWSAP (Novell SAP Name Space Provider) - c:\winnt\system32\netware\nwsap.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

S3 cusrvc (Client Update Service for Novell) - c:\winnt\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
S4 WControl (Symantec LiveState Agent for Windows) - c:\_integra\bin\ccmagent.exe <Not Verified; On Technology Corporation; iCommand Windows Agent>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-07-29 and 2007-08-29 -----------------------------

2007-08-29 08:53:57 0 d-------- C:\Documents and Settings\sat3\Application Data\Mozilla
2007-08-28 09:43:52 16384 --a-----t C:\winnt\system32\Perflib_Perfdata_250.dat
2007-08-24 09:39:22 16384 --a-----t C:\winnt\system32\Perflib_Perfdata_340.dat
2007-08-24 09:37:36 464296 ---h----- C:\winnt\ShellIconCache
2007-08-20 08:45:10 0 d-------- C:\Documents and Settings\sat3\DoctorWeb
2007-08-13 09:01:02 0 d-------- C:\VundoFix Backups


-- Find3M Report ---------------------------------------------------------------

2007-08-24 09:38:47 20971520 --ahs---- C:\winnt\system32\temppf.sys
2007-07-25 15:12:52 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-25 08:28:10 0 d-a------ C:\Program Files\Common Files
2007-07-24 16:52:58 0 d-------- C:\Program Files\Trend Micro
2007-07-24 16:44:54 0 d-------- C:\Program Files\Sygate
2007-07-24 13:35:39 0 d-------- C:\Documents and Settings\sat3\Application Data\Grisoft
2007-07-23 11:14:45 0 d-------- C:\Program Files\Symantec
2007-07-23 07:58:53 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-19 12:37:32 0 d-------- C:\Program Files\Accessories
2007-07-19 10:11:24 0 d-------- C:\Program Files\Lavasoft
2007-07-19 10:10:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-19 09:43:02 0 d-------- C:\Program Files\Yahoo!
2007-07-18 14:14:54 0 d-------- C:\Program Files\CCleaner
2007-07-18 14:08:49 0 d-a------ C:\Documents and Settings\sat3\Application Data\Macromedia
2007-07-18 09:18:47 0 d-a------ C:\Documents and Settings\sat3\Application Data\Help


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/20/03 03:00a C:\WINNT\system32\mobsync.exe]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [08/10/04 04:55a]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [08/10/04 04:53a]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [01/09/04 05:01p]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [02/12/04 01:49p]
"NDPS"="C:\winnt\system32\dpmw32.exe" [05/17/04 02:27p]
"NWTRAY"="NWTRAY.EXE" [03/12/02 10:37a C:\WINNT\system32\nwtray.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/07 05:25a]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/04 07:40p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/06 05:45p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [7/11/1997 1:00:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [7/11/1997 1:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Accessories\rteqehdabewu.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\winnt\system32\NalExpEx.dll [02/16/00 10:33p 131072]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2007-08-29 08:56:43 ------------



Deckard's System Scanner v20070826.66
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 503.48 MiB / 190.84 MiB
Pagefile Memory (total/avail): 492.32 MiB / 220.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1978.87 MiB

C: is Fixed (NTFS) - 37.27 GiB total, 33.53 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer has updates disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\sat3\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CPPCDSKBLD
ComSpec=C:\winnt\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\CPPCDSKBLD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\winnt\system32\os2\dll;
Path=C:\winnt\system32;C:\winnt;C:\winnt\system32\wbem;C:\sqlnk32;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\winnt\system32\nls;C:\winnt\system32\nls\ENGLISH
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\winnt
TEMP=C:\Documents and Settings\sat3\Local Settings\Temp
TMP=C:\Documents and Settings\sat3\Local Settings\Temp
USERDOMAIN=CPPCDSKBLD
USERNAME=sat3
USERPROFILE=C:\Documents and Settings\sat3
windir=C:\winnt


-- User Profiles ---------------------------------------------------------------

smeclnt (update central, admin)
sat3 (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type5967 / Warning
Event Submitted/Written: 08/29/2007 08:50:56 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x80080005

Event Record #/Type5966 / Warning
Event Submitted/Written: 08/29/2007 08:49:51 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x80080005

Event Record #/Type5965 / Warning
Event Submitted/Written: 08/29/2007 07:51:15 AM
Event ID/Source: 1202 / SceCli
Event Description:
Security policies are propagated with warning.
0x5 : Access is denied.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".

Event Record #/Type5963 / Warning
Event Submitted/Written: 08/29/2007 07:20:54 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not access Drive D:\ since the device is not ready.

Event Record #/Type5962 / Warning
Event Submitted/Written: 08/29/2007 07:20:20 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not access path C:\WINNT\system32\temppf.sys



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type957 / Error
Event Submitted/Written: 08/29/2007 08:50:56 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type956 / Error
Event Submitted/Written: 08/29/2007 08:50:26 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Windows Installer service terminated with the following error:
%%5

Event Record #/Type955 / Error
Event Submitted/Written: 08/29/2007 08:49:51 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type954 / Error
Event Submitted/Written: 08/29/2007 08:49:21 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Windows Installer service terminated with the following error:
%%5

Event Record #/Type953 / Warning
Event Submitted/Written: 08/24/2007 09:58:19 AM
Event ID/Source: 11150 / DnsApi
Event Description:
The system failed to register network adapter with settings:


Adapter Name : {B1B73940-3680-41C6-AF31-09F5A64FC5F4}

Host Name : CPPCDSKBLD

Adapter-specific Domain Suffix : homedepot.com

DNS Server list :

192.168.0.1, 192.168.0.1

Sent update to server : None

IP Address(es) :

192.168.1.144


The cause of this DNS registration failure was because the DNS update
request timed out after being sent to the specified DNS Server. This is
probably because the authoritative DNS server for the name being updated
is not running.

You can manually retry registration of the network
adapter and its settings by typing "ipconfig /registerdns" at the command
prompt. If problems still persist, contact your network systems
administrator to verify network conditions.



-- End of Deckard's System Scanner: finished at 2007-08-29 08:56:43 ------------



Thanks!

#12 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:05:57 AM

Posted 30 August 2007 - 08:18 AM

Hello again lmvierra

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1. Run DSS again, using these instructions:

Click START> Run - then copy the following bold blue text and paste it into the Run box & click OK

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.

Click on Scan.

Place a checkmark next to the entries displayed when the scan is finished then Click on Fix.

Repeat the scan; you should get a message "All Associations OK!"

Next, click Save Log, and post this log in your next reply.

2. Next we will try to resolve your Windows Installer issues.

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

Next click START> Run -then copy the following line in bold below, paste it in the run box and then click OK:

msiexec /regserver

Reboot.

3. If the repair to MS Installer worked you should be able to install, so try running SuperAntiSpyware according to my previous instructions in Post #10.

4. So to recap, in your next reply please post:
  • The DSS log
  • The results of the SuperAntispyware instalation and scan
  • A fresh Hijackthis log
Demon Cleaner

#13 lmvierra

lmvierra
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 30 August 2007 - 10:44 AM

Hi~

I tried running the DSS, and was given the error message: "Cannot find the file 'C:\Documents and Settings\sat3\desktop\dess.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available." I tried both copying and pasting, and typing it in..

I then tried the windows installer fix, but still could not run the Super ANTISpyware....

:thumbsup:

Not sure you need this since I wasn't able to do steps 1-3, but here's a fresh hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:08 AM, on 8/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\REVEAL.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html

--
End of file - 6189 bytes

#14 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:05:57 AM

Posted 30 August 2007 - 12:16 PM

Hello again lmvierra

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

There is evidence that in the past you have been infected with a password stealing trojan, which is doing its best not to be removed.
Though the malicous file/s have been identified and can be killed, because of their backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before to you come to a final decision, please feel free to ask.

Regardless of your decision, you can help us out by giving us an idea of why DSS didn't work.

"Cannot find the file 'C:\Documents and Settings\sat3\desktop\dess.exe' (or one of its components).

It is important that any commands entered into the Run box be spelled exactly as posted and is why we advise to copy and paste to prevent such errors. Can you confirm that you did a C&P as instructed? If so it may be that you mispelled dss.exe when you typed out the error message in your post.

Another possibility is that you have moved dss.exe from your desktop. It must be on your desktop for that command to work. So if you did move DSS, please move it back to your desktop and try the C&P again and let me know if it works for you

Let me know your decision, until then don't do anything other than instructed above!

Demon Cleaner

#15 lmvierra

lmvierra
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 30 August 2007 - 05:39 PM

Hi again~

As this is a work computer, reinstalling the operating system is not an option. With the exception of ONE time, I've only used it to visit our work website and access my work email. I have already changed those passwords. (Don't know if this will help, but the site I went to that I think started all the problems was 123myspacecodes.com) Any help you can give me to get the system as normal as possible is greatly appreciated!!!


I had moved DSS from the desktop, so I put it back & ran as instructed. DSS log:

DAFT Log saved on 2007-08-30 15:07:43
-----------------------------------------------------------------------
All associations okay!


I still could not install the SUPERAntispyware even after running msiexec /regserver in safe mode.

New Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:44 PM, on 8/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\snmp.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\dpmw32.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\winnt\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\REVEAL.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\cphpdoc1.homedepot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\winnt\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O14 - IERESET.INF: START_PAGE_URL=http:\\cphpdoc1.homedepot.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185368252218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\winnt\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rteqehdabewu.html

--
End of file - 6220 bytes


I will disconnect the computer until you think it's okay to use....

THANK YOU!!!!

Edited by lmvierra, 30 August 2007 - 05:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users