Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
11 replies to this topic

#1 TerryK

TerryK

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 11 May 2006 - 11:04 AM

Hi (or is it HELP?!),

My XP Pro computer is not able to access major sites (google, yahoo, msn, etc). Lesser sites are not affected at all. And the local disk search is disabled as well (all you see is that goofy little dog).
Firefox works fine, and I can ping those sites, so it seems to be closely associated with IE.

Ad-Aware found nothing. SpyWare Doctor found nothing. Norton found nothing. Spybot S&D has twice found registry entries that it attributes to Spy Sherriff, but those only seem to be forcing the system to use active desktop and forbade me to change my wallpaper (paper was a local custom picture, not anything malicious). I cleaned it using Spybot, and I could then change my wallpaper, but after a couple of reboots, the wallpaper switched back, and the entries were back. So something is doing it. I researched spy sherriff, but none of the files or reg entries that are supposed to exist are on my computer. But of course, I can't actually search using the search tool. :/
Trend Micro's AntiSpyware also once found a file called IUN6002.exe. That was removed and has not come up again.

So far, I have found no other likely things in registry entries or files/directories that would cause this and it is driving me insane.

Terry
_____________________
Logfile of HijackThis v1.99.1
Scan saved at 8:58 AM, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tkeller\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Tapwave\HOTSYNC.EXE
O4 - Startup: ToDo List.lnk = C:\Documents and Settings\tkeller\Desktop\ToDo List.txt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147207812118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\Software\..\Telephony: DomainName = noahwebster.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A77DFEA8-901E-4FC4-BBC5-90240B31DF04}: NameServer = 10.1.1.1,10.1.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = noahwebster.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

____________________________

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 13 May 2006 - 06:51 AM

Please download and Save blacklight to your C:\ Important!!
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Then go to start > run and copy and paste next command in the field:

C:\blbeta.exe /expert

This should open your blacklight.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

---------------------------------------

Please download OldTimer's Winpfind from here:
http://www.bleepingcomputer.com/files/winpfind.php
Unzip it to the desktop and run Winpfind.exe.

Once the scan is finished, please CLOSE the Notepad window that pops up. Then please post the entire contents of the logfile winpfind.txt here for me.

#3 TerryK

TerryK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 15 May 2006 - 12:52 PM

Hi Dick,

Thanks for responding. This whole process, while annoying, has also been very educational - and frightening. It's mind-boggling how much malicious stuff is out there, and how devious it is getting.
Kudos to you and everyone else that are fighting back.

Terry

Here is the Blacklight log: (no items found)
______________________________________
05/15/06 10:16:23 [Info]: BlackLight Engine 1.0.36 initialized
05/15/06 10:16:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/15/06 10:16:25 [Note]: 7019 4
05/15/06 10:16:25 [Note]: 7005 0
05/15/06 10:16:39 [Note]: 7006 0
05/15/06 10:16:39 [Note]: 7022 0
05/15/06 10:16:40 [Note]: 7011 3160
05/15/06 10:16:40 [Note]: 7026 0
05/15/06 10:16:40 [Note]: 7026 0
05/15/06 10:16:40 [Note]: FSRAW library version 1.7.1015
05/15/06 10:27:40 [Note]: 7007 0
______________________________________


And here is the Winpfind log:
______________________________________
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 03/30/2003 7:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 04/10/2006 1:00:34 PM 555824 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 05/03/2006 9:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 05/03/2006 9:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 08/04/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 08/04/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 03/30/2003 7:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 08/03/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
05/12/2006 10:48:50 AM S 2048 C:\WINDOWS\bootstat.dat
05/10/2006 10:48:02 AM RHS 227 C:\WINDOWS\assembly\Desktop.ini
05/10/2006 10:55:38 AM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
05/10/2006 10:55:38 AM RH 0 C:\WINDOWS\assembly\pubpol1.dat
05/10/2006 11:34:40 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
05/10/2006 11:34:44 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
05/12/2006 10:50:16 AM S 472 C:\WINDOWS\CSC\00000001
05/12/2006 10:10:36 AM S 128 C:\WINDOWS\CSC\00000002
05/11/2006 2:12:46 PM S 40 C:\WINDOWS\CSC\00000003
05/06/2006 3:11:54 PM S 64 C:\WINDOWS\CSC\csc1.tmp
05/11/2006 2:12:46 PM S 64 C:\WINDOWS\CSC\d2\00000011
05/11/2006 2:12:46 PM S 64 C:\WINDOWS\CSC\d3\00000012
05/12/2006 10:12:14 AM H 35986 C:\WINDOWS\system32\vsconfig.xml
05/11/2006 12:47:14 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
05/15/2006 7:49:28 AM S 234 C:\WINDOWS\system32\appmgmt\S-1-5-21-162059709-1064504452-3043738115-1325\AppMgmt.ini
03/23/2006 10:11:10 PM S 10337 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904942.cat
04/18/2006 12:17:08 AM S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
03/22/2006 11:15:38 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
03/17/2006 2:24:26 AM S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
03/30/2006 3:03:56 AM S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
03/21/2006 10:19:48 PM S 15945 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913580.cat
04/10/2006 1:01:22 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
05/15/2006 9:59:22 AM H 1024 C:\WINDOWS\system32\config\default.LOG
05/12/2006 10:48:48 AM H 8192 C:\WINDOWS\system32\config\SAM.LOG
05/15/2006 8:49:36 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
05/15/2006 10:41:58 AM H 1024 C:\WINDOWS\system32\config\software.LOG
05/15/2006 10:27:46 AM H 1024 C:\WINDOWS\system32\config\system.LOG
05/10/2006 11:00:08 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
05/09/2006 8:54:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\e0fb1b3e-a8e0-4572-b041-ab5fcf6fe208
05/09/2006 8:54:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
05/04/2006 5:54:40 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4a5725f1-88a9-4695-bf3f-48c21cdf026d
05/04/2006 5:54:40 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
05/12/2006 10:48:52 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 08/04/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 03/05/2003 8:23:00 PM 376832 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
07/29/2004 12:56:00 PM 221184 C:\WINDOWS\SYSTEM32\cttune.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 09/20/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 07/27/2004 1:11:38 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 03/30/2003 7:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 03/30/2003 7:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 03/30/2003 7:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 03/30/2003 7:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 08/04/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 05/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 05/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 03/11/2003 3:18:48 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
02/27/2006 1:10:58 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
05/19/2003 6:22:16 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
05/10/2006 11:12:16 AM 772 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
05/18/2003 11:09:52 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
05/19/2003 6:22:16 AM HS 84 C:\Documents and Settings\tkeller\Start Menu\Programs\Startup\desktop.ini
03/27/2006 10:33:38 AM 668 C:\Documents and Settings\tkeller\Start Menu\Programs\Startup\HotSync Manager.LNK
02/17/2006 7:54:08 AM 506 C:\Documents and Settings\tkeller\Start Menu\Programs\Startup\ToDo List.lnk

Checking files in %USERPROFILE%\Application Data folder...
05/18/2003 11:09:52 PM HS 62 C:\Documents and Settings\tkeller\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DrvLsnr C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
srmclean C:\Cpqs\Scom\srmclean.exe
SetRefresh C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
Synchronization Manager %SystemRoot%\system32\mobsync.exe /logon
TPP Auto Loader C:\WINDOWS\tppaldr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
igfxtray C:\WINDOWS\system32\igfxtray.exe
igfxhkcmd C:\WINDOWS\system32\hkcmd.exe
igfxpers C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents 0
NoComponents 1
NoDeletingComponents 0
NoEditingComponents 0
NoCloseDragDropBands 0
NoMovingBands 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktopChanges 0
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
HideLogonScripts 0
Wallpaper C:\NWBSDesktops\support services.jpg
WallpaperStyle 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 05/15/2006 10:44:14 AM

______________________________________

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 15 May 2006 - 03:44 PM

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti-malware it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Reboot into normal mode.

Then, please run this online virus scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log and the Ewido log in your next reply.

#5 TerryK

TerryK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 16 May 2006 - 01:24 PM

Thanks.
Here are the Ewido and HijackThis logs (HijackThis in normal mode done after Ewido in safe mode). I could not get to the Panda site, that seems to be blocked.

Terry
________________________________

Logfile of HijackThis v1.99.1
Scan saved at 11:17 AM, on 05/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Tapwave\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tkeller\Desktop\SpyWare Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Tapwave\HOTSYNC.EXE
O4 - Startup: ToDo List.lnk = C:\Documents and Settings\tkeller\Desktop\ToDo List.txt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147207812118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\Software\..\Telephony: DomainName = noahwebster.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A77DFEA8-901E-4FC4-BBC5-90240B31DF04}: NameServer = 10.1.1.1,10.1.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = noahwebster.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

_______________________________________

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:08 AM, 05/16/2006
+ Report-Checksum: C38FC9FD

+ Scan result:

:mozilla.7:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.33:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.41:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.42:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.43:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.44:C:\Documents and Settings\administrator.NOAHWEBSTER\Application Data\Mozilla\Firefox\Profiles\s9wjubxz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.34:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.35:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.40:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.41:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.42:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.43:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.44:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.54:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.71:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.79:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.80:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.81:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.82:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.94:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.103:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.104:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.105:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.106:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.126:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.127:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.152:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.158:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.201:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.225:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.245:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.291:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.292:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.317:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.318:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.329:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.373:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.393:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.395:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.396:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.417:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.418:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.419:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.423:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.424:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.425:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.426:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.427:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.438:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.460:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.461:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.462:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.463:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.469:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.470:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.471:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.521:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.543:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.544:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.587:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.588:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.590:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.591:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.592:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.600:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.601:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.602:C:\Documents and Settings\tkeller\Application Data\Mozilla\Firefox\Profiles\2xzsnsrj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@gmditech.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@highbeam.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@jjkeller.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@jjkeller.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@primediabusiness.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@rotator.dex.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@rotator.dex.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@sales.liveperson[4].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@sales.liveperson[5].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@sales.liveperson[6].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@thunderbolt.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@thunderbolt.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\tkeller\Cookies\tkeller@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup


::Report End

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 16 May 2006 - 03:08 PM

Mm, all looks clean... :thumbsup:

Please try this:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Also try this online virusscan:

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Start HijackThis and perform a new scan.

Use the Add Reply button to post your new logs back here along withas details of any problems you encountered performing the above steps and I will review it when it comes in.

#7 TerryK

TerryK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 18 May 2006 - 11:09 AM

Here is the Smitfraudfix;
__________________________________
SmitFraudFix v2.44

Scan done at 8:52:24.79, 05/18/2006
Run from C:\Documents and Settings\tkeller\Desktop\SpyWare Stuff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

P:\


C:\WINDOWS

C:\WINDOWS\system

C:\WINDOWS\Web

C:\WINDOWS\system32

C:\Documents and Settings\tkeller\Application Data

Start Menu

C:\DOCUME~1\tkeller\FAVORI~1

Desktop

C:\Program Files

Corrupted keys

Desktop Components

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection

End

Kaspersky: ___________________________________________

I can get to the kaspersky virusscan page in IE, but when I click the button for the scanner all that happens is a blank window pops up.

Hijackthis: ________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:08 AM, on 05/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tapwave\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\tkeller\Desktop\SpyWare Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Tapwave\HOTSYNC.EXE
O4 - Startup: ToDo List.lnk = C:\Documents and Settings\tkeller\Desktop\ToDo List.txt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147207812118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\Software\..\Telephony: DomainName = noahwebster.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A77DFEA8-901E-4FC4-BBC5-90240B31DF04}: NameServer = 10.1.1.1,10.1.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = noahwebster.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 18 May 2006 - 03:23 PM

Download The Hoster
  • Unzip hoster to an own folder (C:\Hoster)
  • Start Hoster.exe
  • Click 'Restore Original Hosts' and click OK.
  • Close the program.
Please reboot and post a fresh HijackThis log. Also tell me if you're still having problems!

#9 TerryK

TerryK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 18 May 2006 - 09:06 PM

OK. I did the hoster and rebooted. (all the way off, back on)

Still have the same problems.
IE says "Page cannot be displayed" for just about any major site I can think of, such as
google, msn, yahoo, A9, epinions, etc.

But I can get to other places like LAtimes, servicarizona, yahoo.com.cn, etc.

I installed firefox and have no problems getting to any site.

I can ping those sites that IE won't open.

Windows Search for Files/Folders won't work. The Search Companion dog is there, but nothing else but an empty blue field above the dog.

I cannot download stuff. I get a security alert "Your current security settings do not allow this file to be downloaded". In IE options, file downloads are enabled, and even resetting to the default doesn't help.

I can open bleepingcomputer, but can't go to the forums. If I paste the hoster link address into IE from firefox I get the above security alert.

I cannot extract out of archives. If I try to extract, a warning pops up telling me that "Windows has blocked access to these files to help protect your computer". If I try to click on the help link provided in the dialog, the Help and Support center starts to open, but then a dialog pops up saying "An error has occured in the script on this page".
Details:
Line: 98
Char: 4
Error: 'xmldoc.documentElement' is null or not an object
Code: 0
URL: ms-
its:C:\WINDOWS\Help\Update1.chm::/Block_downloads.htm

(the URL line looks like that - broken after ms-)

If I try to continue on with the script, I get more errors like that.

I can double click on an archive and view the contents in it, but I can not copy or move them out. I just get a zero length file or folder.

Now, if I go over to the other computer in my office (just about identical, but little used), I can log onto it using my login and profile (roaming) and everthing IE related works just fine. In fact, that is how I have to get these programs - by downloading them on that machine, extracting them, and putting them on a folder on the network.

So it doesn't seem to be something associated with me or my profile, it seems to be isolated to this one machine. And yet, I can't seem to find anything wrong that could be the culprit.

If it is malware, how could it hide so well? And it seems to have an extensive list of blocked addresses, so what other means other than hosts and restricted sites could be used to do that?

This is really ticking me off.

I thank you so much for trying to help me fix this. It is really appreciated.

Terry

Here is the latest HijackThis log:
____________________________
Logfile of HijackThis v1.99.1
Scan saved at 6:19 PM, on 05/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Tapwave\HOTSYNC.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\tkeller\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Tapwave\HOTSYNC.EXE
O4 - Startup: ToDo List.lnk = C:\Documents and Settings\tkeller\Desktop\ToDo List.txt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147207812118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\Software\..\Telephony: DomainName = noahwebster.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A77DFEA8-901E-4FC4-BBC5-90240B31DF04}: NameServer = 10.1.1.1,10.1.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noahwebster.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = noahwebster.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 19 May 2006 - 03:58 AM

It looks like your problem is Internet Explorer.

Let's try this:

1. Please download IEFix
2. Extract the content and run it.
2. Click the Apply button.
3. You'll be prompted for the Operating System CD or the Service Pack Files location:
  • If you're using Windows XP, insert the Operating System CD. For OEM systems, point to the Operating System source path when prompted. If you've applied a Service Pack separately, you need to insert the Slipstreamed Operating System CD (if you have one) or point the installer to the ServicePack source path when prompted. Mention the path as "C:\Windows\ServicePackFiles\i386" or "C:\Windows\ServicePackFiles"

  • If you don't have the Windows installation CD, and if the installation source files are not present in the hard disk, you may click Cancel when you see the dialog. IEFix will continue with DLL registration part.
4. Restart Windows.

Then please tell me if it worked.

#11 TerryK

TerryK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 19 May 2006 - 11:26 AM

HALLELUJAH! :thumbsup:

That did the trick.
I just tried the quick version, cancelling when it needed the XP CD.
Everything seems to be working normally now.

At least one good thing came out of this debacle, my IT let me install Firefox. :flowers:

Thank you, Thank you, Thank you so much.

You Rock,

Terry

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 19 May 2006 - 02:20 PM

That's great news!

At least one good thing came out of this debacle, my IT let me install Firefox.

That sure is a good thing!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts.

Please post back if you are still having any problems....

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users