Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected W/alexa Or Something


  • Please log in to reply
18 replies to this topic

#1 Eagle7

Eagle7

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 10 December 2006 - 05:07 PM

Hello folks,

Had a rough go over the last 10+ days with this computer. Have done over the phone hardware diagnostic tests with HP to rule out any hardware issues.

I have XP Home on a Compaq Presario, 1.83 AMD, 512 RAM, 68 GB's free disk space. Major problems: unable to auto update any security programs, including Window's Updates, AVG A/V w/firewall and AVG A/S, SpySweeper, Spybot S & D, Ad-Aware and Spyware Terminator. Unable to surf with Firefox and Opera, only IE is working. Error will say "Connection timed out" or "Page not found". Ran all my security programs in Safe Mode, all it found was "Alexa", so deleted it. Found over 30 system errors in the Event Viewer on 11/29, many include "boot-start or system start drivers unable to load", including drivers for DNS, AVG, NetBIOS and others. I'm still under extended warranty. All HP will do is send me new Recovery CD's, but they're having a hard time doing even that as the first two sets were the wrong ones, the 3rd set was sent 12/8 - supposed to be overnighted but the email confirm said "Standart Postal Delivery Ground". Anticipated delivery not until 12/15. Argh!

Was talking to my son yesterday about these problems. He emailed me the install package for HiJack This, so I was able to run and save it. I will cut and paste here. Hopefully, someone will be able to detect my problem. Thanks in advance. My original posts regarding this problem are here:

http://www.bleepingcomputer.com/forums/t/73743/infected-by-alexa-please-help/

Logfile of HijackThis v1.99.1
Scan saved at 2:37:38 PM, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Internet Accelerator\PropelAC.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\fs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.christianityonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Internet Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [KenKeybd] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [CamMonitor] "C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Internet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Internet Accelerator\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Internet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Internet Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{12489D7A-7C88-4CA3-8BB7-4B1A550BFB01}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


NOTE: I did read all the HJT directions about cleaning and running various scans. I was unable to run ANY of the online scans, I would always get the "Page not found" error. This happens anytime I try to open a page with any security scans on it.

Edited by Eagle7, 10 December 2006 - 05:15 PM.


BC AdBot (Login to Remove)

 


#2 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 11 December 2006 - 05:26 AM

Hi Eagle7,

Good! You managed to get a log :thumbsup:. Now for the bad news... Your log looks pretty clean, this means that the thing that is bugging you is keeping itself hidden. And this means we have to do other downloads to try and find it...

A warning beforehand though is this. With the current sophistication of malware it will be extremely difficult to get rid of them. This means that I cannot guarantee a complete solution. The best and easiest way of getting rid is reformatting the hard disc and reinstallation of everything. Before taking such drastic measures though it is best to backup everything so you don't lose valuable data.

Now let's try and find it. Before we are going to deal with the entries of the log I would like to see what we can get rid of in the normal way.

Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".
Save the log to a convenient location, and copy it into this thread.
Posted Image

#3 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 11 December 2006 - 12:47 PM

Hi Bobbi,

Thanks for the "news". I appreciate knowing that my log is being worked on. Not having "created a list of Add/Remove programs" before, I just wanted to be clear on how I am to proceed. Do you want me to make a document with this information in it? I don't know how else to "copy" this list. After creating this list in a document I could then cut/paste into the HJT log? Is that what you're requesting? I sure appreciate your help. Thanks.

Regards,

Eagle7

#4 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 12 December 2006 - 05:43 AM

Hi Eagle7,

You can create the list by following my instructions. There is a routine in HijackThis that will make it for you.

Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".

Good luck.
Posted Image

#5 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 12 December 2006 - 07:25 PM

Hi Bobbi,

Thanks so much for your directions and patience. Hope this proves helpful.

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Help Center 2.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 4.0
Adobe Reader 7.0.8
Agere Systems PCI Soft Modem
APC PowerChute Personal Edition
ArcSoft Panorama Maker 3.5
a-squared Free 2.1
AVG Anti-Spyware 7.5
AVG Anti-Virus 7.1
Belarc Advisor 7.1
Compaq Connections
Compaq Instant Support
DesignPro 5.0 Limited Edition
Enhanced Multimedia Keyboard Solution
Google Earth
Greeting Card Creator 32
Hallmark Card Studio 2006 Deluxe
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Homespun Collection
HP Image Zone 3.5
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Photo and Imaging 2.2 - Scanjet 3970 Series
HP Photosmart Cameras 3.5
HP Software Update
HP Unload DLL Patch
Installed Program Printer
IntelliMover Data Transfer Demo
Internet Accelerator
iTunes
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Kensington KB 6.12
Kensington MouseWorks
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
Mozilla Firefox (2.0)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB927978)
OpenOffice.org 2.0
Opera 9.02
PC-Doctor for Windows
Picasa 2
Print Artist 2003
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SierraAddressBook 3.0
Sonic Update Manager
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinPatrol
WinPatrol
Yahoo! Toolbar

#6 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 13 December 2006 - 04:14 AM

Hi Eagle7,

Open "Add/Remove Programs" in the Control Panel. Select the following items:
  • Internet Accelerator
  • Java 2 Runtime Environment, SE v1.4.2_03 < -- Not bad, but older Java versions are security risks
and click "Remove" for each of them. If one of the uninstallers wants to download stuff or needs an Internet connection, skip that one and report them to me.

After this, can you post a fresh log from HijackThis?
Posted Image

#7 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 17 December 2006 - 07:15 PM

Hi Bobbi,

Sorry I didn't get back to you soon. Two things: one, I didn't receive a notification that you had posted, two, I've been sick the past few days. So, I did as you asked, removing both programs. I had known that there were two Java programs there, but wasn't sure if it was okay to delete the old one. When I did the required restart, my firewall popped up with a message that said this: "Java Update checker is trying to establish a TCP connection with remote address ..... Not knowing if that was okay, I just denied it for now.

As for the Internet Accelerator, that was my accellerator provided to me from my ISP, Christianity Online.com. I went ahead and deleted it for now so you can do what you need to do.

Yes, I'll resubmit another HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:10:08 PM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\fs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.christianityonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=208.34.108.70:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [KenKeybd] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [CamMonitor] "C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{12489D7A-7C88-4CA3-8BB7-4B1A550BFB01}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


Sure hope you find this helpful. As the days go on, I feel more and more vulnerable not being able to get any of my security updates. Thanks so much for your time and effort on this one.

Regards,

Eagle7

#8 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 18 December 2006 - 07:24 AM

Hi Eagle7,

I hope you're feeling better.

When I did the required restart, my firewall popped up with a message that said this: "Java Update checker is trying to establish a TCP connection with remote address ..... Not knowing if that was okay, I just denied it for now.

The Java Update checker is okay. A nuisance and not really needed, but okay nevertheless.

As for the Internet Accelerator, that was my accellerator provided to me from my ISP, Christianity Online.com. I went ahead and deleted it for now so you can do what you need to do.

I run across Internet Optimizers and Accellerators all the time. I do know that there is one that is tailored to Morpheus, and I thought that they had changed the name. can you provide me with a link where I can download the program? Then I can play around with it and see whether it is bad or not. Personal experience says tat broadband is the best accelerator though. :thumbsup:

Before I kill it off, you are using a proxy by NetAccess in New York. Is that correct? As proxy servers can reroute Internet flow this can be the reason that your connections are failing. How are they anyway? Are the programs working again? Can you connect to the sites?

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
Posted Image

#9 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 18 December 2006 - 11:38 AM

Hi Bobbi,

Thanks so much for the get well wish. I'm better than I was, but still terribly weak, still running a low grade temp.

I am learning that it is probably best for me to GO to the site for their updates, so I will be doing that more often in the future (re: JAVA request for updating).

My ISP does make available a proxy service for enhanced security called "Net Sweeper", so the "NetAccess" that you inquired about is no doubt them. They are out of Pittsford, NY. Since I am still on lowly dial-up here, with no sign of DSL in my future, I wouldn't be able to use your recommended 'tat broadband' accelerator. I will keep that it mind should DSL ever come to our area, thanks. I believe the following link will get you to Christianityonline.com's accelerator download program:

http://christianityonline.com/download/setup.exe

My understanding from my ISP regarding their proxy/NetAccess security program was, that if I no longer wish to use it, I'd have to call them and have them disable it from their end. I do not wish to do that at this time.

To bring you up to date on how my computer's running. Not well at all, becoming more unstable quickly. I am still only able to surf via IE (total bummer), as both Firefox and Opera still get the "Connection Timed Out" or "Page not Found" errors. Even while using IE, after a time I'm also unable to access pages, usually from links. For example, I've had trouble getting this site to load from the email notification link provided to me. This is happening every day and more frequently. Refreshing or closing and reopening the browser doesn't seem to help. Nor does a Restart or complete Shut Down. It doesn't seem to matter which site I'm trying to access either, can even be while I'm in my Yahoo email program, or any other site. And, MOST annoying, I'm still unable to download ANY security updates. I see in my Event Viewer that Windows keeps trying to download their updates, and of course it doesn't happen. Ocassionally, AVG will come with their update window and act as if it were going to download my daily updates, but of course nothing happens.

I'm supposed to receive Recovery CD's in the mail today from HP. This will be the fourth set they've sent me since the 1st of December. They can't seem to get it right. I've spent nearly 8 hours on the phone with various members of their support team in the same amount of time. All they can say is after all the hardware diagnostics tests were fine that it must be software related, thus the only appropriate thing to do is a Full System Recovery. Yes, I know this process supposedly sets everything aright, as I've had to do it about 4 times now in the 2 1/2 years I've owned this computer. Still it takes me a good 10 days to get everything loaded back on since I'm on dial up. When I did this in November, just last month there were 64 updates alone from Windows, as well, hours worth from my other security programs. Since wiping the drive takes me back to pre-SP2 days, I also have to reload several HP driver updates before I can even reload SP2. What a bother. Seems like there should be a simpler, quicker way to accomplish this, but alas, I'm told there isn't.

Okay, so I'm off to run another HJT scan and check the box next to the file that you pointed out to me. I will tell HJT this "Fix checked" and post a new log for you. Again, thank you for all your time. Oh, and finally, I wanted to add that for me, just doing the above recovery doesn't answer how I got in this mess in the first place - and I'm one of those kind of folks that would like to know. Yet, as my system continues to go south, would you recommend that I proceed with the Recovery later today provided the right CD's arrive, thereby freeing you up to work on another situation?

Regards,

Eagle7

#10 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 18 December 2006 - 12:32 PM

Hi Bobbi,

Okay, done as you've requested. Here's the most recent log after having "Fixed" the BHO you mentioned before.

Logfile of HijackThis v1.99.1
Scan saved at 10:23:09 AM, on 12/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\fs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.christianityonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=208.34.108.70:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [KenKeybd] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [CamMonitor] "C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Until next time,

Regards,

Eagle7

#11 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 19 December 2006 - 07:38 AM

Hi Eagle7,

Since I am still on lowly dial-up here, with no sign of DSL in my future, I wouldn't be able to use your recommended 'tat broadband' accelerator.

That was a typo. It was supposed to be "that broadband".

I will keep that it mind should DSL ever come to our area, thanks. I believe the following link will get you to Christianityonline.com's accelerator download program:

Thanks I'll try it out the first chance I have.

It depends on what you want. You can run the Recovery CD if you want, but I am more than willing to try and find out what is happening to the system.

The log from HijackThis looks good.

Please select "Run..." from the "Start" menu and execute cmd.exe.
In the Console Window that comes up, type and execute the following command netstat -ano. Copy/paste the output here please. That way I can which ports you have open.

Also download the program FPort and run it from a Console Window with the following command line: fport /i. This will give me a list of which program is connected with which port.

Edited by Bobbi Flekman, 19 December 2006 - 07:39 AM.

Posted Image

#12 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 19 December 2006 - 05:22 PM

Hi Bobbi,

Glad to hear that my log looks fine, thanks.

Here's the log from the netstat -ano, but for some reason I can't seem to do the same for the fport. Any ideas?

I had a tough time even getting on with IE just now. It's looking like I'd better do the recovery soon. What kind of time line do you think I might be looking at if I waited for you to finish working on my computer issues?

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>netstat-ano
'netstat-ano' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 968
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2108
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 1600
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 716
UDP 0.0.0.0:1049 *:* 1088
UDP 0.0.0.0:4500 *:* 716
UDP 4.227.237.229:123 *:* 1024
UDP 4.227.237.229:1900 *:* 1240
UDP 127.0.0.1:123 *:* 1024
UDP 127.0.0.1:1077 *:* 2780
UDP 127.0.0.1:1900 *:* 1240

C:\Documents and Settings\Owner>fport/i
'fport' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>fport/ i
'fport' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>fport /i
'fport' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>fport /i
'fport' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>

Regards,

Eagle7

#13 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 20 December 2006 - 06:11 AM

Hi Eagle7,

Glad to hear that my log looks fine, thanks.

Actually in my opinin that is worse than if it were thouroughly infected. This means that the malware knows how to hide, and it will make our job a lot tougher. Which is why I am starting with this. I've never heard of a case like yours, so the first thing I want to make sure is that there is not some sort of spam engine or another program stealing stuff from you. Netstat gives me a list of open ports (connections) and fport gives me the program that is using that port. The connection between these two outputs is a Process ID (PID), and unfortunately that changes everytime you start a program. In other words you will have to do it all over again...

Where did you extract FPort to? Can you re-extract it to C:\Documents and Settings\Owner. It should en up in a folder under that called FPort-2.0. The batch file I am creating assumes that you've done it that way, otherwise you will have to change the CD statement in it to where the file is.

Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it on your Desktop.

cd C:\Documents and Settings\Owner\FPort-2.0
netstat -ano > Output.txt
fport /i >> Output.txt
notepad Output.txt

Locate Export.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

I had a tough time even getting on with IE just now. It's looking like I'd better do the recovery soon. What kind of time line do you think I might be looking at if I waited for you to finish working on my computer issues?

I think it is best to do a Recovery and check if everything is all right after that. As I said before I have no clue what is bugging your computer, but I have a large bag of tricks that I can use to try and find out. And probably when I found out what it is my best advice would probably be to use the Recovery Disc anyway.
Posted Image

#14 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 20 December 2006 - 12:43 PM

Good morning Bobbi,

Glad I checked on this site, as I've not yet rec'd any notifications of your reply in my email.

Here's the report you asked for:


CODEcd C:\Documents and Settings\Owner\FPort-2.0
netstat -ano > Output.txt
fport /i >> Output.txt
notepad Output.txt

I saved the fport file to my Desktop. It reads C:\Documents and SettingsOwner\Desktop when I ckeck the file's properties.

I re-extracted it to the folder you requested.

So, if I understand your reply correctly, it IS ok for me to proceed with the Recovery? I'll putz around with my mail, etc for a while, then check back with you to hopefully get a reply if your time permits. Thanks again.

Regards,

Eagle7

#15 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 21 December 2006 - 09:10 AM

Hey Eagle7,

Yes! By all means please proceed with the Recovery. Your computer is more important than my curiosity!

I noticed an error in the batchfile. This is the correct one.

cd "C:\Documents and Settings\Owner\FPort-2.0"
netstat -ano > Output.txt
fport /i >> Output.txt
notepad Output.txt
Again assuming that the location of FPort.exe is in C:\Documents and Settings\Owner\FPort-2.0.

How are your settings for email notification at the forums? You can check that in your profile. I have it set on immediate notification as I otherwise miss notifications. But in most cases delayed is okay. That would mean you get one notification for all posts. The way I have it means you get a notification for every post in a thread.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users