Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer-7 Has Some Hijack Symptoms


  • This topic is locked This topic is locked
23 replies to this topic

#1 black069

black069

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 03 February 2009 - 07:22 PM

Hi everyone who reads this. Hope everyone is well. This is my first (non-welcome to B.C.) post, and I am following instructions given.

My computer specs are below (I purchased this laptop in Dec. 2007):
Dell Precision M6300
Intel Core 2 Duo CPU
T7500 @ 2.20GHz
2.19GHz, 2.20GB of RAM
Windows XP Pro SP3
SigmaTel High Definition Audio CODEC
NVIDIA Quadro FX 1600M
Intel PRO/Wireless 3945ABG Network Connection
Microsoft Office 2003 Suite

I use the following antimalware/security/updating programs regularly:
AVG Anti-Virus Free (version 8)
SuperAntiSpyware (Free Edition)
Malwarebytes' Anti-Malware (Free Edition)
Lavasoft Ad-Aware Free (Anniversary Edition/version 8.0.2)
CCleaner
Windows XP Firewall
Microsoft/Windows Update (Automatic Updates)
FileHippo's Update Checker
Microsoft Disk Defragmenter

The issues that I am having include the following:
(1) My homepage always reverts to www.my.yahoo.com regardless of what I set it to using Tools/Internet Options/General/Homepage. It always reverts after I reboot, sometimes before. When it reverts, if I go to to Internet Options to check the homepage, it lists www.my.yahoo.com. I have recently started using the Hijack Protection tab in SuperAntiSpyware, where I have set what I want my homepage to be. This prevents the change, but I get the popup window from SAS letting me know that my homepage is trying to change from A to B, and asking if I want to allow/deny. Not only annoying, but to me, suggestive of a problem since it did not do this until the last several weeks.

(2) In IE-7, if I follow this path: Tools/Internet Options/Programs/Default Web Browser, it states that "Intenet Explorer is not currently the default web browser." There is a button that reads, "Make default" and a checkbox that reads, "Tell me if Internet Explorer is not the default web browser." If I click the button to make it the default web browser, then the next time I restart IE and navigate back to this site, it shows the same as before. If I check the box to let me know if IE is not default, I get a message everytime I start IE asking me if I want to make it default. By the way, I have no other browsers (I downloaded Firefox and Google Chrome several months ago to try them out, but my wife's networking to her company plus several other software programs requires IE. (Plus I completely deleted all traces, following their uninstall instructions.)

(3) In Program Access and Defaults (Control Panel/Add or Remove Programs/Program Access and Defaults), the Configuration always reverts to "Custom" the very next time I navigate there. I tried to go there to see if I could set IE as the default web browser, but if I select Custom and choose Internet Explorer as my default web browser, or if I select Microsoft Windows, it reverts back to Custom with "Use my current Web browser" checked, with a check beside "Enable access to this program" (referring to Internet Explorer).

(4) In Office Word 2003 (not sure about Excel or Powerpoint), HYPERLINKS only work if the browser is already open. But if Word is the only program open, for example, when I click on a hyperlink, nothing happens.

(5) For several weeks the desktop icon for Internet Explorer was entitled "iexplore". I noticed that when I right clicked, it did not "behave" how it was supposed to. Instead of showing Open Home Page, Start Without Add-ons, etc. as the options, it behaved as if a shortcut icon when I right clicked it, even though it did not possess the small white box with the black arrow that other shortcut icons have. A friend was able to restore the "Internet Explorer" desktop icon (with the correct right-click features) and eventually (with much effort) delete the "iexplore" desktop icon. He said the iexplore icon had the properties of malware and may have been placed there by a bug. (He lives 1,000 miles away and I only saw him for a couple hours when I flew to my hometown last week.)

(6) SuperAntiSpyware, which seems to be a popular antispyware program, gives me fits when I try to update the virus definitions files. I get an error msg saying that is was unable to update and to make sure my firewall settings are configured correctly. I have gone to their FAQs and forums to follow instructions, but I cannot seem to automatically update the files. There is a manual update feature, but even when I use it (following their instructions), I am able to download the files, but it still runs with the updates from 1-2 days prior according to the log, although when I did a system reboot yesterday, it did use the most recent definitions files.

(7) I have had HiJackThis 2.0.2 on my laptop for a couple of months. I have run it maybe 5 times (after reading all the instructions), but I have made ZERO changes using the program, nor have I made any changes to the registry using regedit (b/c I don't know enough to do either safely). I ran HJT yesterday, and after running, I was reading the info section where it says that if there is something beside "O1", it may reflect that host files have hijacked the original browser settings (or something along those lines; I don't want to run again without supervision). In the log, though, I got the following (which seem bad):
O1 - Hosts: HPFA0EFD HP001A4BFA0EFD
MSIE: Unable to get Internet Explorer version!

(8) I have received a multitude of error messages over the last several weeks, most of which I have saved onto Word Documents using Print Screen feature. I won't make a long story even longer by including them (that would be a novel), but, as one example, the most recent was today. InstallShield Update Manager said it was time to check for updates, and as soon as I clicked "Check for Updates Now", I got a "Microsoft Visual C++ Runtime Library" popup window that read:
Runtime Error!
Program: ...Files\Common Files\InstallShield\UpdateService\agent.exe
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

I have probably included WAY too much info, but it said to be thorough to prevent you from having to ask me to give further explanation. For this, I apologize.

I would truly appreciate anyone's help as I am not only being driven crazy by all this, but I fear a security breach or some critical registry error.

Please note that, as per the instructions, I have attached the Attach.txt file created by DDS to this post. And the DDS.txt log is below:

DDS (Ver_09-02-01.01) - NTFSx86
Run by gb at 14:36:44.26 on Tue 02/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1359 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Documents and Settings\gb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.espn.go.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: rasmg.net\rasesystems
Trusted Zone: statdx.com\my
Trusted Zone: sutterhealth.org\auth0
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://rasesystems.rasmg.net/dana/download/icaweb.cab?url=/dana/term/winlaunchterm.cgi?op=DownloadCitrixCab
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxps://isite.rasmg.net/nat2/iSite3_3.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1208144666709
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - hxxp://www.devalvr.com/instalacion/plugin/devalvrplugin.php
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://rasesystems.rasmg.net/dana-cached/setup/JuniperSetupSP1.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-25 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-25 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-25 107272]
R1 NEOFLTR_550_12029;Juniper Networks TDI Filter Driver (NEOFLTR_550_12029);c:\windows\system32\drivers\NEOFLTR_550_12029.sys [2007-8-23 63008]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-2 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 298264]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\gb\locals~1\temp\alsysio.sys --> c:\docume~1\gb\locals~1\temp\ALSysIO.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-9-27 34136]

=============== Created Last 30 ================

2009-02-01 13:36 <DIR> --d----- c:\program files\common files\xing shared
2009-02-01 13:34 <DIR> --d----- c:\program files\RichFX
2009-01-30 08:22 0 a------- c:\windows\frontpg.ini
2009-01-29 01:08 <DIR> --d----- C:\7288b17932de84e50bd2db
2009-01-28 17:14 <DIR> --d----- C:\Downloads
2009-01-26 12:34 <DIR> --d----- c:\program files\filehippo.com
2009-01-22 19:15 <DIR> --d----- c:\program files\Text Twist 2
2009-01-20 14:48 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-20 12:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-20 12:35 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-20 12:35 <DIR> --d----- c:\program files\Lavasoft
2009-01-17 03:58 <DIR> --d----- c:\windows\system32\FxsTmp
2009-01-17 03:57 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-01-17 02:39 21,791 a------- c:\windows\system32\smtpctrs.ini
2009-01-17 02:39 12,288 a------- c:\windows\system32\smtpctrs.dll
2009-01-17 02:39 8,002 a------- c:\windows\system32\smtpctrs.h
2009-01-17 02:39 7,168 a------- c:\windows\system32\snprfdll.dll
2009-01-17 02:39 23,040 a------- c:\windows\system32\regtrace.exe
2009-01-17 02:39 1,037 a------- c:\windows\system32\ntfsdrct.ini
2009-01-17 02:39 773 a------- c:\windows\system32\ntfsdrct.h
2009-01-17 02:39 43,520 a------- c:\windows\system32\fcachdll.dll
2009-01-17 02:39 5,632 a------- c:\windows\system32\adsiisex.dll
2009-01-16 21:18 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-01-16 21:18 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-01-16 21:18 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-16 21:18 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-16 21:18 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-16 21:18 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-01-16 21:18 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-16 21:18 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-16 21:18 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-16 21:16 444,776 a------- c:\windows\system32\d3dx10_36.dll
2009-01-16 21:15 251,672 a------- c:\windows\system32\xactengine2_5.dll
2009-01-16 21:10 <DIR> --d----- c:\windows\Logs
2009-01-13 11:39 <DIR> --d----- c:\program files\Trend Micro
2009-01-13 11:15 8,192 a--sh--- c:\windows\Thumbs.db
2009-01-12 23:23 <DIR> --d----- c:\program files\Microsoft
2009-01-12 23:23 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-01-12 08:02 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-09 16:54 <DIR> --d----- c:\windows\SoftwareDistribution.old
2009-01-07 16:02 <DIR> --d----- c:\program files\ACW
2009-01-05 16:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-01-05 14:33 3,751,995 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-01-26 13:07 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-26 13:07 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-26 13:07 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 18:52 5,632 a------- c:\windows\system32\write.exe
2009-01-07 18:52 5,632 a------- c:\windows\system32\dllcache\write.exe
2009-01-07 18:52 214,528 a------- c:\windows\system32\dllcache\wordpad.exe
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-06 15:56 88,867 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-04 19:31 41,855 a------- c:\windows\system32\nvModes.dat
2009-01-02 12:38 34,576 a---h--- c:\windows\system32\mlfcache.dat
2008-12-14 03:53 5 a------- c:\windows\system32\drivers\DELL_WOR_M6300.MRK
2008-12-14 03:53 5 a------- c:\windows\system32\drivers\1028_Dell_WOR_M6300.mrk
2008-12-12 22:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-09 12:20 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-04 22:55 307,560 a------- c:\windows\WLXPGSS.SCR
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-06 03:21 203,776 a------- c:\windows\system32\clrviddc.dll
2008-06-25 20:55 61,224 a------- c:\documents and settings\gb\GoToAssistDownloadHelper.exe

============= FINISH: 14:37:35.75 ===============



BC AdBot (Login to Remove)

 


#2 black069

black069
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 12 February 2009 - 04:20 PM

NEW HJT SCAN RESULTS FROM TODAY POSTED HERE (SINCE INITIAL POST WAS BACK ON 2/3/09) IS BELOW, ALONG WITH THE RESULTS OF AN ONLINE KASPERSKY ONLINE SCANNER 7 FROM TODAY (AT BOTTOM). :thumbup2:


DDS (Ver_09-02-01.01) - NTFSx86
Run by gb at 10:35:26.01 on Thu 02/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1276 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\gb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: dell.com\support
Trusted Zone: rasmg.net\rasesystems
Trusted Zone: statdx.com\my
Trusted Zone: sutterhealth.org\auth0
Trusted Zone: sutterphysicians.org
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://rasesystems.rasmg.net/dana/download/icaweb.cab?url=/dana/term/winlaunchterm.cgi?op=DownloadCitrixCab
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxps://isite.rasmg.net/nat2/iSite3_3.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1208144666709
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - hxxp://www.devalvr.com/instalacion/plugin/devalvrplugin.php
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://rasesystems.rasmg.net/dana-cached/setup/JuniperSetupSP1.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-25 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-25 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-25 107272]
R1 NEOFLTR_550_12029;Juniper Networks TDI Filter Driver (NEOFLTR_550_12029);c:\windows\system32\drivers\NEOFLTR_550_12029.sys [2007-8-23 63008]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-2 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 298264]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 835208]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\gb\locals~1\temp\alsysio.sys --> c:\docume~1\gb\locals~1\temp\ALSysIO.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-9-27 34136]

=============== Created Last 30 ================

2009-02-11 22:26 <DIR> --d----- C:\Sysinternals
2009-02-08 23:36 <DIR> --d----- c:\program files\jv16 PowerTools
2009-02-08 23:21 <DIR> --d----- c:\program files\PC Magazine Utilities
2009-02-08 04:11 <DIR> --d----- c:\program files\NBC Direct Beta
2009-02-08 04:09 <DIR> --d----- c:\program files\OpenCase
2009-02-06 23:00 <DIR> --d----- C:\RegBack
2009-02-04 20:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-01 13:36 <DIR> --d----- c:\program files\common files\xing shared
2009-02-01 13:34 <DIR> --d----- c:\program files\RichFX
2009-01-30 08:22 0 a------- c:\windows\frontpg.ini
2009-01-28 17:14 <DIR> --d----- C:\Downloads
2009-01-26 12:34 <DIR> --d----- c:\program files\filehippo.com
2009-01-22 19:15 <DIR> --d----- c:\program files\Text Twist 2
2009-01-20 14:48 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-20 12:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-20 12:35 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-20 12:35 <DIR> --d----- c:\program files\Lavasoft
2009-01-17 03:57 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-01-16 21:18 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-01-16 21:18 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-01-16 21:18 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-16 21:18 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-16 21:18 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-16 21:18 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-01-16 21:18 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-16 21:18 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-16 21:18 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-16 21:16 444,776 a------- c:\windows\system32\d3dx10_36.dll
2009-01-16 21:15 251,672 a------- c:\windows\system32\xactengine2_5.dll
2009-01-16 21:10 <DIR> --d----- c:\windows\Logs
2009-01-13 11:39 <DIR> --d----- c:\program files\Trend Micro
2009-01-13 11:15 8,192 a--sh--- c:\windows\Thumbs.db

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-08 03:27 5 a------- c:\windows\system32\drivers\DELL_WOR_M6300.MRK
2009-02-08 03:27 5 a------- c:\windows\system32\drivers\1028_Dell_WOR_M6300.mrk
2009-02-07 22:20 41,762 a------- c:\windows\system32\nvModes.dat
2009-02-04 20:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-26 13:07 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-26 13:07 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-26 13:07 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-07 18:52 5,632 a------- c:\windows\system32\write.exe
2009-01-07 18:52 5,632 a------- c:\windows\system32\dllcache\write.exe
2009-01-07 18:52 214,528 a------- c:\windows\system32\dllcache\wordpad.exe
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-06 15:56 88,867 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 14:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-02 12:38 34,576 a---h--- c:\windows\system32\mlfcache.dat
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-04 22:55 307,560 a------- c:\windows\WLXPGSS.SCR
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-06-25 20:55 61,224 a------- c:\documents and settings\gb\GoToAssistDownloadHelper.exe

============= FINISH: 10:36:14.65 ===============


KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, February 12, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 12, 2009 18:47:42
Records in database: 1788547


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 58756
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:01:32

No malware has been detected. The scan area is clean.
The selected area was scanned.



#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 12 February 2009 - 06:45 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Those logs look clean.

Please give me an update on the symptoms.

With Regards,
The Pandaa

#4 black069

black069
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 14 February 2009 - 01:17 AM

Thanks, Panda or PP for short, for helping me out. You guys are geniuses and you all just amaze me.

I am shocked that the HJT logs are clean. Really? I continue to have the same symptoms as before. I can't list them all here because my message would be too long and cumbersome for anyone to read.

I am still concerned about the possibility of browser hijacking. I have attached two word documents (the first two) that illustrate exactly what happens.

I cannot open hyperlinks in word documents unless (I know this sounds weird) unless Internet Explorer has already been opened. The same exact thing happens with the link on my start menu to Microsoft Update.

Also I am receiving dozens of error messages per day, the vast majority of which I have saved via "Print Screen" so that I could show you if need be. I noticed that you didn't take a look at either of my attach.txt logs from 2/3/09 or 2/12/09 (since it said #downloads = 0 after you sent your message). If you will check out the end of each log at the "Event Viewer Messages", there are multiple error messages shown. And this doesn't even include the error messages that appear in pop-ups with the message "Program X has encountered a problem and needs to close." I included an attachment of this type as well, regarding AVG Safety Scanner. Also, my event log viewer is filled with warnings and error messages, like the one below which I cut and paste, just as an example of the types of things I am receiving. I have no idea where this IP address it lists (in red below) came from, as it is not mine, and this laptop has not left this house since December:

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 2/8/2009
Time: 5:36:25 AM
User: N/A
Computer: LAPTOP
Description:
Your computer has automatically configured the IP address for the Network Card with network address 001CBF1E59E9. The IP address being used is 169.254.31.48.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....



Thanks again for your message. I apologize for being long-winded, but I just know that there are registry or configuration errors or some type of bug, and haven't done any credit card or bank transactions in many weeks because of my uncertainty about its security. I can give you as little or as much more information as you need, but don't want to take up too much of your time. But again, thanks.



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 14 February 2009 - 11:13 AM

Hello.

HijackThis and DDS logs list out the autoloading points on the computer. Malware items can be detected this way. They do not show, however, problems with programs and such.

Though these issues do not appear to be caused by malware, let's run GMER to search for anything hidden. If nothing is found, we'll try some trouble shooting.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#6 black069

black069
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 15 February 2009 - 08:07 AM

Hello again, Panda. I was having some trouble performing the scan on my laptop, even though it worked on my desktop. All the options were not showing and, most importantly, the only functions available initially were "Cancel" and "OK". I figured out it was b/c my DPI setting has been changed from normal to large. When I changed it back to normal (which is too small to read on a permament basis), it worked!

But then I could not upload as an attachment b/c the .txt file was 431 KB, which I guess is too large, plus I couldn't cut and paste it into this area b/c "it was too long."

So I had to download a free version of a compression program, which I have never used before, and learn how to compress the file. I downloaded WinRAR which is free, but only for 40 days, but it compressed the file to 18KB. I read that if you don't know what type of compression software the other person has....to send it as a .zip file instead as a .rar. I don't know why, but that's not important at this point.

Hope this helps. Thanks again for your guidance.

PS Is there a maximum attachment size per topic or per person per topic or what? I'm confused that it says below, after uploading that 18KB file, that I have used 393.8 of 512kb of attachment space.



#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 15 February 2009 - 10:18 AM

Hello.

The GMER log is clean.

PS Is there a maximum attachment size per topic or per person per topic or what? I'm confused that it says below, after uploading that 18KB file, that I have used 393.8 of 512kb of attachment space.

There is a total attachment space available. Go to your Control Panel to remove your previous attachments to make room for new ones.

Taking a look at the Event Logs, the Windows services are erroring. Included were the drivers for AVG and SuperAntiSpyware.

Let's first create a backup just in case something goes wrong.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

Please uninstall AVG8 and SuperAntiSpyware using Add/Remove Programs. Reinstall both.

Then, take a new pair of DDS logs.

With Regards,
The Panda

Edited by PropagandaPanda, 15 February 2009 - 10:19 AM.


#8 black069

black069
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 17 February 2009 - 04:38 PM

Hi Panda,
I was able to download and run ERUNT with no problem.

And I removed SuperAntiSpyware without any issues arising, but I am having a heck of a time with AVG. I thought I removed it without problems; I used the Add/Remove Programs feature like you instructed. But then when I've tried several times to re-install AVG, I continue to get the same error message each time. So it appears that the problem is that not all of it has been removed. I tried to manually remove any other AVG-related files, even performing a search of hidden folders, but this has had no effect. Keep getting same message (see attached).

I googled the error message as well as "AVG removal', but the fixes either didn't work or were above the domain of a quasi-newbie like myself (eg using regedit to remove x, y, and z).

I'll just wait for your instruction. Meanwhile, though, the only real-time protection I have is the newest Ad-Aware's "Ad-Watch Live! Realtime Protection", but even with this, the only one of three real-time tools you get with the free version is the "Processes", not "Registry" or "Networks". I also have Malwarebytes' Anti-Malware. But is it even OK to update the definitions files for Ad-Aware or Malwarebytes without having AVG's resident protection? And also, can my wife use this (the laptop) to access her job's network page tomorrow (Wednesday)? We also have a desktop with which I can communicate with you, but my wife cannot access her network with that system.

Thanks again!



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 17 February 2009 - 06:30 PM

Hello.

But is it even OK to update the definitions files for Ad-Aware or Malwarebytes without having AVG's resident protection? And also, can my wife use this (the laptop) to access her job's network page tomorrow (Wednesday)?

I don't see that as an issue.

Are there any changes in the original symptoms?

Please post a new DDS.txt log so we can remove any leftover components of AVG.

With Regards,
The Panda

#10 black069

black069
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 18 February 2009 - 04:10 PM

Apologize for the time btw messages: my wife returned from China a couple days ago and it's been a little hectic trying to get her settled back in and back to work, plus car problems. Thanks for your patience.

No changes in original symptoms at all...once I removed SuperAntiSpyware's browser hijack prevention tool or whatever it's called (when I removed SAS), my homepage reverted to the one it did before: www.my.yahoo.com, but when I re-installed it, I got the pop-up again asking if I want to keep at www.espn.go.com or change to www.my.yahoo.com

AVG is still not installed (as I told you before), but I have not tried to troubleshoot that since.

A couple of things which may or may not help you are below:

(1) Refer to Attachment 2 (a word document): The IE-7 versions are "different" on various places within my hard drive and system information, etc. For example, when I click "About" when the browser is open, I get one version, but under System Information, it gives another version. The two versions are:
  • Internet Explorer 7.0.6000.16791
  • Internet Explorer 7.0.5730.13
(2) The last malware I found on my computer (see partial results of Ad-Aware log below)...all 5 were given a TAC of 10 out of 10, and for some reason, 1 of the 5 has a status different than the others, so I am wondering if it might not have been completely removed? But it has not been found since, despite running multiple scans with multiple programs.

--------------------------------------------------------------------------------------------------------------------
Lavasoft Ad-Aware Full Scan Results (1/20/09)
Objects detected: 5

Type Detected
==========================
Processes.......: 0
Registry entries: 5
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0

Quarantined items:
Description: HKU:s-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser:{01e04581-4eee-11d0-bfe9-00aa005b4383} Family Name: Win32.TrojanDownloader.NewMedia Clean status: Success Item ID: 39819 Family ID: 1017
Description: HKU:S-1-5-21-3977868836-315020714-1853221447-1005\software\microsoft\internet explorer\desktop\components\0:FriendlyName Family Name: Win32.TrojanDownloader.NewMedia Clean status: Success Item ID: 39388 Family ID: 1017
Description: HKU:S-1-5-21-3977868836-315020714-1853221447-1005\software\microsoft\internet explorer\desktop\components\1: Family Name: Win32.TrojanDownloader.NewMedia Clean status: Success Item ID: 39408 Family ID: 1017
Description: HKU:.default\software\microsoft\internet explorer\toolbar:locked Family Name: Win32.TrojanDownloader.NewMedia Clean status: Success Item ID: 39817 Family ID: 1017
Description: HKU:s-1-5-18\software\microsoft\internet explorer\toolbar:locked Family Name: Win32.TrojanDownloader.NewMedia Clean status: Failed Item ID: 39818 Family ID: 1017
-----------------------------------------------------------------------------------------------------

NOTE: The only other malware found by any program in the last couple of months is below:
  • AVG (12/23/08)
    • "C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP107\A0021397.exe";"Trojan horse Generic12.ACVL";"Moved to Virus Vault.
  • Malwarebytes (1/3/09)
    • Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
-------------------------------------------------------------

MY NEW HJT SCAN


  • dds.txt is cut and pasted below
  • attach.txt is included as attachment
DDS (Ver_09-02-01.01) - NTFSx86
Run by gb at 9:25:00.30 on Wed 02/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1133 [GMT -8:00]


[b]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Documents and Settings\gb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.espn.go.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
StartupFolder: c:\docume~1\gb\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: dell.com\support
Trusted Zone: rasmg.net\rasesystems
Trusted Zone: statdx.com\my
Trusted Zone: sutterhealth.org\auth0
Trusted Zone: sutterphysicians.org
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://rasesystems.rasmg.net/dana/download/icaweb.cab?url=/dana/term/winlaunchterm.cgi?op=DownloadCitrixCab
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxps://isite.rasmg.net/nat2/iSite3_3.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1208144666709
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - hxxp://www.devalvr.com/instalacion/plugin/devalvrplugin.php
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://rasesystems.rasmg.net/dana-cached/setup/JuniperSetupSP1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 NEOFLTR_550_12029;Juniper Networks TDI Filter Driver (NEOFLTR_550_12029);c:\windows\system32\drivers\NEOFLTR_550_12029.sys [2007-8-23 63008]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 835208]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\gb\locals~1\temp\alsysio.sys --> c:\docume~1\gb\locals~1\temp\ALSysIO.sys [?]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-9-27 34136]

=============== Created Last 30 ================

2009-02-18 04:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-18 04:47 <DIR> --d----- c:\docume~1\gb\applic~1\SUPERAntiSpyware.com
2009-02-18 04:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-17 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-15 08:06 <DIR> --d----- c:\program files\common files\xing shared
2009-02-15 08:04 <DIR> --d----- c:\program files\RichFX
2009-02-15 07:56 <DIR> --d----- c:\documents and settings\gb\.housecall6.6
2009-02-14 23:58 250 a------- c:\windows\gmer.ini
2009-02-11 22:26 <DIR> --d----- C:\Sysinternals
2009-02-08 23:36 <DIR> --d----- c:\program files\jv16 PowerTools
2009-02-08 23:21 <DIR> --d----- c:\program files\PC Magazine Utilities
2009-02-08 04:11 <DIR> --d----- c:\program files\NBC Direct Beta
2009-02-08 04:09 <DIR> --d----- c:\program files\OpenCase
2009-02-06 23:00 <DIR> --d----- C:\RegBack
2009-02-04 20:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-30 08:22 0 a------- c:\windows\frontpg.ini
2009-01-28 17:14 <DIR> --d----- C:\Downloads
2009-01-26 12:34 <DIR> --d----- c:\program files\filehippo.com
2009-01-22 19:15 <DIR> --d----- c:\program files\Text Twist 2
2009-01-20 14:48 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-20 12:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-20 12:35 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-20 12:35 <DIR> --d----- c:\program files\Lavasoft

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-08 03:27 5 a------- c:\windows\system32\drivers\DELL_WOR_M6300.MRK
2009-02-08 03:27 5 a------- c:\windows\system32\drivers\1028_Dell_WOR_M6300.mrk
2009-02-07 22:20 41,762 a------- c:\windows\system32\nvModes.dat
2009-02-04 20:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-07 18:52 5,632 a------- c:\windows\system32\write.exe
2009-01-07 18:52 5,632 a------- c:\windows\system32\dllcache\write.exe
2009-01-07 18:52 214,528 a------- c:\windows\system32\dllcache\wordpad.exe
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-06 15:56 88,867 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 14:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-02 12:38 34,576 a---h--- c:\windows\system32\mlfcache.dat
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-04 22:55 307,560 a------- c:\windows\WLXPGSS.SCR
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-06-25 20:55 61,224 a------- c:\documents and settings\gb\GoToAssistDownloadHelper.exe

============= FINISH: 9:25:17.37 ===============
[/]

Edited by PropagandaPanda, 18 February 2009 - 04:54 PM.



#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 18 February 2009 - 05:04 PM

Hello.

The items detected were merely leftover entries.

From what I understand, when a new version of IE is installed, the older one is overwritten. The registry entries containing the version numbers may have not been updated for some reason.

Refering to the different version numbers in the running processes, the individual modules may not be updated along with the IE version.

The faulting AVG module was the LinkScanner component. That can be disabled easily.

The "<file missing>" marks are obviously incorrect. It shows iexplore.exe as missing. If this were the case, IE would not start.

With Regards,
The Panda

#12 black069

black069
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 18 February 2009 - 06:00 PM

Thanks, Panda.

So what should be my next course of action? Or were you just responding to some of my other questions before instructing me as to the next step?

Look forward to your response.



#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 18 February 2009 - 06:35 PM

Hello.

Let's try a complete reinstall of IE7. Let's create a backup before doing anything.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Go to Start > Programs > Accessories > System Tools and click System Restore.
Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.

Download the IE 7 from here.

Refering to this guide, uninstall IE7.

Reinstall IE7 using the installer.

Tell me how things are now.

With Regards,
The Panda

#14 black069

black069
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tabor City, NC
  • Local time:03:06 AM

Posted 25 February 2009 - 01:40 AM

Hi Panda,



Sorry for the extended time btw messages. It has taken me a while to go through my initial list of problems, especially while sharing the computer with my wife and juggling my work schedule.



After backing up my registry with ERUNT and creating a System Restore point as instructed, I did re-install Internet Explorer 7. I was also able to re-install AVG-Free 8.0, which required first removing (& afterwards re-installing) Ad-Aware AE to allow "avgtdix.sys" to be removed during the initial uninstall phase for AVG.



Re-installing Internet Explorer 7 has indeed gotten rid of almost all of my issues. :) The main exception, though, is my #1 issue: my homepage continues to revert to www.my.yahoo.com after each reboot. :thumbup2: The only way to prevent this is to use a feature like the one on SuperAntiSpyware that notifies you (with an allow/block prompt) whenever a different homepage than specified tries to open, which for me is whenever the computer is turned on or re-started.



A couple of other things continue to frustrate me...



It takes forever for me to restart my computer. Windows seems to boot fairly quickly, such that I get to my desktop screen quickly, but it seems to take forever from that point to fully functional. It seems like the system tray icons are loading very slowly (thus probably the startup applications as well). Once all the systray icons are present, it takes another full minute for my internet to connect. The icon for my network adaptor (Intel PROSet/Wireless 3945ABG) is the one for " Wireless Off". It will finally start to search and connect, but from beginning of start to connection is between 3-4 minutes. This may or may not be related: the system tray icons (as a group) seem to randomly ignore my instructions when using "Customize Icons" in Taskbar Properties.



Also, in my (only) firewall--Windows Firewall--some of my instructions are ignored. Specifically, in the Advanced (tab) under Network Connection Settings, all of the connections list "Teredo" (which is UDP port 3544) as an exception under Services. If I clear this & reboot, it always returns, as does "Allow incoming echo request" under ICMP > Settings (of the Advanced tab). I really am clueless when it comes to configuring the firewall despite reading many articles. In my case, it seems to make no difference whether I click "Don't allow any exceptions" or randomly allow exceptions on the Exceptions or Advanced tabs.





Thanks again for your excellent help. I will wait for your next message.



#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 25 February 2009 - 03:27 PM

Hello.

Let's try to tackle the slow startups first. You have a lot loading automatically at startup, which we can slim down a bit.

Download, Install, and Save Log with HijackThis
  • Download the installer HERE onto your desktop and double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Click Do a System Scan and Save a Log File.
  • The scan will complete in a moment and the log will pop-up.
  • Copy the contents of the log into your next post.
Next round, we'll remove some that we don't need.

I'll try to look into the firewall issue.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users