Jump to content


Photo

Search engine redirects and jumps


  • This topic is locked This topic is locked
11 replies to this topic

#1 blip

blip

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 June 2007 - 03:02 AM

Hi,

My browser IE7 has been misbehaving of late when I do a google or yahoo search. When I click on a result I get redirected to another unrelated site. Originally it would go via a site with an IP of 67.29.139.220 - and while it still does that now, it deletes the redirect and jump entries from the browse history ie. when I click the back button history the two intervening steps are no longer showing whereas they used to be there all the time.

I've tried to follow the FAQ correclty. I've run scans with AVG, ClamWin, SuperAntiSpyware, Ad-Aware, and Spybot.

Here are my Kaspersky and HijackThis logs. I hope you can help.

Thanks,

Blip

Friday, June 01, 2007 5:42:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 1/06/2007
Kaspersky Anti-Virus database records: 335505
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 18183
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:26:30

Infected Object Name Virus Name Last Action
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2701.sys Object is locked skipped
C:\WINDOWS\system32\gah95on6.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_3c0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\2E.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\ClamWin1.log Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF271E.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF2882.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF28F2.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF2A5E.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF4FD.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF51A.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF557B.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF76B5.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF7743.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DF8B38.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DFBC15.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DFC409.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DFF44C.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~DFF9A2.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~WRF0796.tmp Object is locked skipped
C:\DOCUME~1\RODONO~1\LOCALS~1\Temp\~WRS3912.tmp Object is locked skipped
Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 5:48:41 PM, on 1/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.c...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.fhs.vic.edu.au/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fhswebs/main.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Frankston High School
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fhsproxy:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [FreshDownload] "C:\Program Files\FreshDevices\FreshDownload\FD.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://fhswebs
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.vass.vic...on/cab/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109736019010
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://131.188.69.22/activex/AMC.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.belfastci...sCamControl.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://64.53.55.34/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = frankston-hs.edu.vic.gov.au
O17 - HKLM\Software\..\Telephony: DomainName = frankston-hs.edu.vic.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = frankston-hs.edu.vic.gov.au
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\RODONOVAN\Application Data\SysServDLL32.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Edited by blip, 01 June 2007 - 04:56 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 03 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 07 June 2007 - 03:51 AM

Hi blip,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

It may not be malware that is causing your problem, but let’s check that out first, shall we? :)

OK, here’s what we do first.

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download SDFix by AndyManchesta and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer into Safe Mode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.
Once in Safe Mode, please do the following:
  • Open the extracted folder and double-click RunThis.bat to start the script.
  • Type "Y" to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum along with a new HijackThis log.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 –u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\RODONOVAN\Application Data\SysServDLL32.exe (file missing)



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please go to Start -> Run and type (or copy and paste) the following lines in the "Open" field, ONE AT A TIME, then click "OK":

sc stop LoadDLLServ

sc delete LoadDLLServ



NEXT:

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following FILES (if they exist):

C:\WINDOWS\system32\gah95on6.ini
C:\Documents and Settings\RODONOVAN\Application Data\SysServDLL32.exe


You may have to Show hidden files and folders first.

Please let me know if you encountered any problems finding or deleting the files.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please reboot your computer normally into Windows, and then please post the log from the SDFix scan, the ComboFix log, and a new HijackThis log.

How are things running now?

Edited by Sempurna, 07 June 2007 - 03:52 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 blip

blip

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 June 2007 - 09:16 AM

Everything is fixed!!!

You guys are marvels. Thankyou very much for all your assistance Sempurna - a great public service
you provide. I'm very grateful.

Was it Malware BTW or some other mystery configuration....?

Cheers,

Blip


Here are the logs etc. per your request, although I suppose they're of no use now.


Followed the procedures - however slight variations were;
Had to use safe mode with networking since I couldn't login otherwise
Rebooted after running the HijackThis fix and before deleting files you said to delete
Deleted C:\WINDOWS\system32\gah95on6.ini
Couldn't find C:\Documents and Settings\RODONOVAN\Application Data\SysServDLL32.exe
Upon reboot I was prompted to buy SuperAntiSpyware so I uninstalled it.



--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
---------------------------- SDFixLog Follows ----------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------

SDFix: Version 1.87

Run by rodonovan - Thu 07/06/2007 - 22:54:45.70

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\B7RQN3~1.HTM - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\miFiles\\miFiles.exe"="C:\\Program Files\\miFiles\\miFiles.exe:*:Enabled:miFiles Personal Edition"
"C:\\Program Files\\Infochoice\\Charts\\Charts.exe"="C:\\Program Files\\Infochoice\\Charts\\Charts.exe:*:Enabled:Charts"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\FreshDevices\\FreshDownload\\fdgo.exe"="C:\\Program Files\\FreshDevices\\FreshDownload\\fdgo.exe:*:Enabled:fdgo"
"C:\\Documents and Settings\\RODONOVAN\\My Documents\\Research\\downloads\\utorrent.exe"="C:\\Documents and Settings\\RODONOVAN\\My Documents\\Research\\downloads\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"="C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe:*:Enabled:VoipBuster"
"C:\\Program Files\\SIPfoundry\\sipXphone\\j2re1.4.2_03\\bin\\javaw.exe"="C:\\Program Files\\SIPfoundry\\sipXphone\\j2re1.4.2_03\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Java\\jdk1.5.0_10\\jre\\bin\\java.exe"="C:\\Program Files\\Java\\jdk1.5.0_10\\jre\\bin\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Documents and Settings\\RODONOVAN\\.netbeans\\5.5\\emulators\\wtk22_win\\emulator\\wtk22\\bin\\emulator.exe"="C:\\Documents and Settings\\RODONOVAN\\.netbeans\\5.5\\emulators\\wtk22_win\\emulator\\wtk22\\bin\\emulator.exe:*:Enabled:emulator"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\TrackMaker\\Trackmaker.exe"="C:\\Program Files\\TrackMaker\\Trackmaker.exe:*:Enabled:Trackmaker"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CPC10D.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CPC10D.EXE:*:Enabled:Canon PageComposer Despooler"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe:*:Enabled:Adobe Reader 7.0"
"C:\\Program Files\\Common Files\\Microsoft Shared\\MODI\\11.0\\MSPVIEW.EXE"="C:\\Program Files\\Common Files\\Microsoft Shared\\MODI\\11.0\\MSPVIEW.EXE:*:Enabled:Microsoft Office Document Imaging"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"="C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe:*:Enabled:Client to make VoIP calls."
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Replay Converter\cygwin1.dll
C:\Program Files\Replay Converter\cygz.dll
C:\Program Files\Replay Converter\drv13260.dll
C:\Program Files\Replay Converter\drv23260.dll
C:\Program Files\Replay Converter\drv33260.dll
C:\Program Files\Replay Converter\drv43260.dll
C:\Program Files\Replay Converter\dspr3260.dll
C:\Program Files\Replay Converter\ivvideo.dll
C:\Program Files\Replay Converter\qtmlClient.dll
C:\Program Files\Replay Converter\raac.dll
C:\Program Files\Replay Converter\rnco3260.dll
C:\Program Files\Replay Converter\rnlt3260.dll
C:\Program Files\Replay Converter\rv103260.dll
C:\Program Files\Replay Converter\rv203260.dll
C:\Program Files\Replay Converter\rv303260.dll
C:\Program Files\Replay Converter\rv403260.dll
C:\Program Files\Replay Converter\tokr3260.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\System Volume Information\_restore{E0F9382A-DD8D-4B41-84DC-F8DCF1E10886}\RP13\A0019289.SYS
C:\WINDOWS\WSYS049.SYS
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Templates\~WRL0089.tmp
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Templates\~WRL0517.tmp
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Templates\~WRL2087.tmp
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Templates\~WRL2105.tmp
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Templates\~WRL2786.tmp
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Word\~WRL0145.tmp
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Word\~WRL2606.tmp
C:\Documents and Settings\RODONOVAN\Application Data\Microsoft\Word\~WRL2702.tmp
C:\Documents and Settings\RODONOVAN\Desktop\BAW\~WRL0004.tmp
C:\Documents and Settings\RODONOVAN\Desktop\MyDocs\Useful\~WRL1607.tmp
C:\Documents and Settings\RODONOVAN\Desktop\Xfer\other\~WRL0003.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL0181.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL1338.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL1579.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL1826.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL2367.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL2586.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL2790.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL3166.tmp
C:\Documents and Settings\RODONOVAN\My Documents\~WRL4009.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL0001.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL0050.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL0151.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL0176.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL0609.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL1133.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL1744.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL2060.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL2088.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL2352.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL2474.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL2644.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL2982.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL2988.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL3393.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL3421.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL3711.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL3824.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Movies Mind Meaning\~WRL4013.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0001.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0112.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0278.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0307.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0522.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0535.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0549.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0749.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0804.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0851.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0914.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL0990.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1116.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1241.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1262.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1295.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1544.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1566.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1629.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1674.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL1883.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2063.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2157.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2183.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2244.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2255.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2265.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2292.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2314.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2391.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2411.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2465.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2615.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2625.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2708.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2718.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2805.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2862.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2900.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL2921.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3006.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3026.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3069.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3090.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3156.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3240.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3258.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3279.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3406.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3595.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3814.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL3913.tmp
C:\Documents and Settings\RODONOVAN\My Documents\Subject Logs\~WRL4027.tmp

Listing User Accounts:

User accounts for \\RODONOVAN

ASPNET Guest HelpAssistant
IUSR_RODONOVAN IWAM_RODONOVAN LocalAdmin
SUPPORT_388945a0 TSI


Finished


--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
-------------------------- HijackThis Log Follows ------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 11:19:14 PM, on 7/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\FreshDevices\FreshDownload\FD.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.c...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.fhs.vic.edu.au/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fhswebs/main.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Frankston High School
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fhsproxy:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [FreshDownload] "C:\Program Files\FreshDevices\FreshDownload\FD.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://fhswebs
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.vass.vic...on/cab/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109736019010
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://131.188.69.22/activex/AMC.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.belfastci...sCamControl.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://64.53.55.34/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = frankston-hs.edu.vic.gov.au
O17 - HKLM\Software\..\Telephony: DomainName = frankston-hs.edu.vic.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = frankston-hs.edu.vic.gov.au
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\RODONOVAN\Application Data\SysServDLL32.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
---------------------------- ComboFix Log Follows ------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------

"rodonovan" - 2007-06-07 23:37:08 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\RODONOVAN\My Documents\downloads\"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\grouppolicy\machine\scripts\scripts.ini
C:\WINDOWS\system32\kdbqs.exe
C:\WINDOWS\system32\packet.dll


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-06 12:25 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll
2007-06-06 12:25 <DIR> d-------- C:\Program Files\Video Audio To MP3 WAVE Converter
2007-06-04 21:54 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\Nokia Multimedia Player
2007-06-01 11:29 <DIR> d-------- C:\hijackthis
2007-05-31 21:35 <DIR> d-------- C:\Program Files\AVI Codec Pack
2007-05-31 21:34 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-05-31 19:22 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\Datalayer
2007-05-31 19:21 <DIR> d----c--- C:\DOCUME~1\RODONO~1\Phone Browser
2007-05-30 20:55 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\Nokia
2007-05-30 20:47 <DIR> d-------- C:\Program Files\DIFX
2007-05-30 20:47 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-05-30 20:46 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\PC Suite
2007-05-30 20:46 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-05-30 20:45 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-05-30 20:45 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-05-30 20:45 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-05-30 20:45 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-05-30 20:45 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-05-30 20:45 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-05-30 20:45 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-05-30 20:44 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-05-30 20:44 <DIR> d-------- C:\Program Files\Nokia
2007-05-30 20:43 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2007-05-29 12:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-29 12:45 <DIR> d-------- C:\Program Files\Classroom Sim 9-12
2007-05-24 17:02 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-24 17:02 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-23 17:05 8,126,464 --a------ C:\DOCUME~1\RODONO~1\ntuser.dat
2007-05-20 23:54 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 23:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-15 16:32 <DIR> d-------- C:\Program Files\DivX
2007-05-14 22:25 <DIR> d-------- C:\Program Files\Axis Communications
2007-05-13 23:23 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-13 23:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-09 20:25 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 03:09:30 -------- d-----w C:\Program Files\Winamp
2007-06-01 02:57:44 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-28 06:17:03 -------- d-----w C:\Program Files\ClamWin
2007-05-13 08:13:49 -------- d-----w C:\Program Files\Google
2007-05-13 07:48:20 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-12 07:54:05 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-05-04 06:46:13 -------- d-----w C:\Program Files\Windows Live Safety Center
2007-05-04 01:13:01 1,156 ----a-w C:\WINDOWS\mozver.dat
2007-05-01 10:34:32 -------- dc----w C:\DOCUME~1\RODONO~1\APPLIC~1\.clamwin
2007-04-25 00:46:29 -------- d-----w C:\Program Files\Replay Media Catcher
2007-04-25 00:41:17 2,874,926 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-04-25 00:40:46 -------- d-----w C:\Program Files\Replay Converter
2007-04-25 00:38:52 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-04-25 00:38:49 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-04-25 00:21:27 -------- d-----w C:\Program Files\FLV Player
2007-04-08 10:30:25 -------- d-----w C:\Program Files\TrackMaker
2007-04-02 09:03:39 2,324 ----a-w C:\TCHPDEXP.DAT
2007-03-09 09:12:32 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 19:38]
{206E52E0-D52E-11D4-AD54-0000E86C26F6}=C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll [2005-05-26 08:12]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 13:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 13:33]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"TpShocks"="TpShocks.exe" [2004-03-26 17:16 C:\WINDOWS\system32\TpShocks.exe]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 17:32]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 21:29]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-05-27 20:48]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]
"FreshDownload"="C:\Program Files\FreshDevices\FreshDownload\FD.EXE" [2005-05-26 08:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-06-24 15:24]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-29 00:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=C:\WINDOWS\ihome\admin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-1788223648-1801674531-14119\Scripts\Logon\0\0]
"Script"=\\frankston-hs.edu.vic.gov.au\SysVol\frankston-hs.edu.vic.gov.au\scripts\logon.vbs

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e8c3b4f-d745-11da-a5f1-000e35e42e4e}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2527196-b190-11db-a62c-101111111111}]
AutoRun\command- F:\.\Recycled\Driveinfo.exe
Open\Command- F:\.\Recycled\Driveinfo.exe


Contents of the 'Scheduled Tasks' folder
2005-03-03 02:42:47 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-07 11:34:09 C:\WINDOWS\tasks\User_Feed_Synchronization-{92124761-AD60-47E2-B9AD-84C6D0454050}.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 00:00:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-08 0:05:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-08 00:04

--- E O F ---

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 07 June 2007 - 11:43 AM

Hi blip, :wave:

You’re most welcome. I’m glad to hear that the problem has been solved. :)

It was caused by the malware on your system. You had some assorted baddies, but the main one was a rootkit we call Wareout. That would do all sorts nasty things to your Internet connection.

By the way, can you connect to the Internet in Normal Mode now?


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 –u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\RODONOVAN\Application Data\SysServDLL32.exe (file missing)



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

For this next step, please ensure that ComboFix.exe is on your desktop:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "File::")


    File::
    C:\WINDOWS\iun6002.exe
    C:\TCHPDEXP.DAT
    C:\Documents and Settings\RODONOVAN\Application Data\SysServDLL32.exe
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e8c3b4f-d745-11da-a5f1-000e35e42e4e}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2527196-b190-11db-a62c-101111111111}]
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

How are things running now?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#6 blip

blip

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 June 2007 - 09:28 AM

Many thanks again Sempurna.

I couldn't find any of those files you mentioned - I assume that's a good thing.

Combo-fix didn't reboot (good again I hope!) and so after a restart I reran Hijack this.

Once again I'm very grateful for your time.

Here are the two logs you requested.

Blip

"rodonovan" - 2007-06-08 23:55:05 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\RODONOVAN\Desktop\ComboFix-Do.txt""


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\TCHPDEXP.DAT
C:\WINDOWS\iun6002.exe


((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-08 09:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-08 00:05 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 12:25 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll
2007-06-06 12:25 <DIR> d-------- C:\Program Files\Video Audio To MP3 WAVE Converter
2007-06-04 21:54 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\Nokia Multimedia Player
2007-06-01 11:29 <DIR> d-------- C:\hijackthis
2007-05-31 21:35 <DIR> d-------- C:\Program Files\AVI Codec Pack
2007-05-31 21:34 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-05-31 19:22 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\Datalayer
2007-05-31 19:21 <DIR> d----c--- C:\DOCUME~1\RODONO~1\Phone Browser
2007-05-30 20:55 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\Nokia
2007-05-30 20:47 <DIR> d-------- C:\Program Files\DIFX
2007-05-30 20:47 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-05-30 20:46 <DIR> d----c--- C:\DOCUME~1\RODONO~1\APPLIC~1\PC Suite
2007-05-30 20:46 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-05-30 20:45 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-05-30 20:45 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-05-30 20:45 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-05-30 20:45 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-05-30 20:45 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-05-30 20:45 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-05-30 20:45 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-05-30 20:44 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-05-30 20:44 <DIR> d-------- C:\Program Files\Nokia
2007-05-30 20:43 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2007-05-29 12:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-29 12:45 <DIR> d-------- C:\Program Files\Classroom Sim 9-12
2007-05-24 17:02 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-24 17:02 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-23 17:05 8,126,464 --a------ C:\DOCUME~1\RODONO~1\ntuser.dat
2007-05-20 23:54 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 23:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-15 16:32 <DIR> d-------- C:\Program Files\DivX
2007-05-14 22:25 <DIR> d-------- C:\Program Files\Axis Communications
2007-05-13 23:23 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-13 23:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-09 20:25 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 03:09:30 -------- d-----w C:\Program Files\Winamp
2007-06-01 02:57:44 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-28 06:17:03 -------- d-----w C:\Program Files\ClamWin
2007-05-13 08:13:49 -------- d-----w C:\Program Files\Google
2007-05-13 07:48:20 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-12 07:54:05 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-05-04 06:46:13 -------- d-----w C:\Program Files\Windows Live Safety Center
2007-05-04 01:13:01 1,156 ----a-w C:\WINDOWS\mozver.dat
2007-05-01 10:34:32 -------- dc----w C:\DOCUME~1\RODONO~1\APPLIC~1\.clamwin
2007-04-25 00:46:29 -------- d-----w C:\Program Files\Replay Media Catcher
2007-04-25 00:41:17 2,874,926 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-04-25 00:40:46 -------- d-----w C:\Program Files\Replay Converter
2007-04-25 00:38:49 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-04-25 00:21:27 -------- d-----w C:\Program Files\FLV Player
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-08 10:30:25 -------- d-----w C:\Program Files\TrackMaker
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 09:12:32 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 19:38]
{206E52E0-D52E-11D4-AD54-0000E86C26F6}=C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll [2005-05-26 08:12]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 13:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 13:33]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"TpShocks"="TpShocks.exe" [2004-03-26 17:16 C:\WINDOWS\system32\TpShocks.exe]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 17:32]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 21:29]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-05-27 20:48]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]
"FreshDownload"="C:\Program Files\FreshDevices\FreshDownload\FD.EXE" [2005-05-26 08:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-06-24 15:24]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-29 00:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=C:\WINDOWS\ihome\admin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-1788223648-1801674531-14119\Scripts\Logon\0\0]
"Script"=\\frankston-hs.edu.vic.gov.au\SysVol\frankston-hs.edu.vic.gov.au\scripts\logon.vbs

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2005-03-03 02:42:47 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-08 12:15:37 C:\WINDOWS\tasks\User_Feed_Synchronization-{92124761-AD60-47E2-B9AD-84C6D0454050}.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 00:09:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-09 0:10:56
C:\ComboFix-quarantined-files.txt ... 2007-06-09 00:10
C:\ComboFix2.txt ... 2007-06-08 00:05

--- E O F ---


------------------------------------------------------------
------------------------------------------------------------
-------------- HijackThis Log Follows--------------------
------------------------------------------------------------
------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 00:19, on 2007-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\FreshDevices\FreshDownload\FD.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.fhs.vic.edu.au/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fhswebs/main.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fhsproxy:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [FreshDownload] "C:\Program Files\FreshDevices\FreshDownload\FD.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://fhswebs
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.vass.vic...on/cab/smsx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109736019010
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://131.188.69.22/activex/AMC.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.belfastci...sCamControl.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://64.53.55.34/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = frankston-hs.edu.vic.gov.au
O17 - HKLM\Software\..\Telephony: DomainName = frankston-hs.edu.vic.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = frankston-hs.edu.vic.gov.au
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#7 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 June 2007 - 01:06 AM

Hi blip, :wave:

You're most welcome, blip. :)

Things appear to have cleaned up nicely. You did a great job. Well done, and keep up the good work! :thumbsup:

How are things running now? Any persistent problem or suspicious behaviour on your machine that I should know about?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#8 blip

blip

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 June 2007 - 02:06 AM

Everything is quite cruisey Sempurna... and I think it was you who did all the good work :-)

So once again, many many thanks. You're a kind and gifted soul.

Warm regards,

Blip

#9 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 June 2007 - 05:28 AM

Hi Blip, :wave:

You’re most welcome, Blip. :)

Just some loose ends to tie up, and then we can let you go home. :)

Reconfigure Windows XP to disable viewing of hidden files/folders:
  • Click Start -> My Computer.
  • Select the "Tools" menu and click "Folder Options". Select the "View" tab.
  • Under the "Hidden files and folders" heading uncheck "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Check the "Hide file extensions for known file types" option.
  • Click "Yes" to confirm. Click "OK".

NEXT:

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:
  • CLICK HERE to download the offline installer.
    • Select "Java Runtime Environment (JRE) 6u1" and click the "Download" button to the right.
    • Check the box that says "Accept License Agreement".
    • Click on the link to download "Windows Offline Installation, Multi-language".
    • Save the file to your desktop.
  • Next, uninstall your currently installed version from Add/Remove Programs.
  • If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
  • Examples of older versions in Add/Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
    • Java™ SE Runtime Environment 6
  • Reboot your system.
  • Install the new version by double-clicking on the file you downloaded.

NEXT:

Everything looks great --- your HijackThis log appears to be clean. :)

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.

  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Test your Firewall and make sure it is working properly.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you do decide to install Firefox, please take a moment to read Switching from IE to Firefox.

  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!

  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!

  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!

  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!

  • I suggest that you download one or two of these FREE and good anti-trojan programs to use for ad-hoc scanning on your system:
    a-squared Free
    AVG Anti-Spyware Free
    AVZ Antiviral Toolkit
    SUPERAntiSpyware


  • I would also suggest you perform an online virus scan once in a while because what one virus scanner can't find, another one maybe can:
    BitDefender Online Scanner
    F-Secure Online Scanner
    Panda ActiveScan
    Dr.Web CureIt <-- This is not really an online scanner, as it is a standalone utility. You need to download a new copy for updated virus definitions, but it can be run in Safe Mode, unlike the online scanners above.
Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#10 blip

blip

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 June 2007 - 09:54 AM

Fabulous Sempurna - have uninstalled old Java's and installed the new one.
I've also swapped to Firefox - you're right it's very impressive!! I've sorted out my firewall, anti-virus and anti-trojan software.

Many many many thanks. I've gone from :techsupport: and :blink: to :D all thanks to you.

In the nicest way possible, I think I'll never have to speak to you again!!!

Blip

#11 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 12 June 2007 - 12:32 AM

Hi Blip, :wave:

You're most welcome, Blip. I'm glad to hear that things are running better now. :)

Cheers! :wave:
~ Sempurna
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#12 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 July 2007 - 07:29 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button