Well can you go through that list of files (in safe mode probably) and delete them all? Most of them are in the same folder so it shouldn't take too long.
OK, I re-booted into safe mode and deleted the files (except the e-mail attachments for now). I then ran Ad-Aware and Spybot Search & Destroy, then rebooted, updated them, and ran them again. This time SS&D found Smitfraud-C; I had SS&D fix it. I also got an AVG pop-up identifying a Trojan horse BackDoor.Generic3.VKX in C:\NetMeeting\Down(0).exe, then I noticed that the c:\autoback\ directory had shown up again, so I rebooted into safe mode again, deleted those files, and rebooted again. This time AA and SS&D came up clean. Again the Down(0) was created and came up with the virus. Again C\autoback\ was there. This time I tried deleting with Killbox, and deleting on reboot for most of them, then rebooted. I did not see C:\autoback\ or C:\Program Files\NetMeeting\Down(x).exe on reboot.
Logfile of HijackThis v1.99.1
Scan saved at 7:08:12 AM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
I have repeatedly "fixed" those three entries, to no avail. The two O23 entries just won't go away, even though the files they reference were deleted long ago (even when the files haven't returned). The 04 entry will go away, but after a short while the subdirectory appears again and it again shows up in HJT.
When I went to delete the C:\autoback\svchost.exe file this time, I used Killbox instead of Windows Explorer. That prompted a "please shutdown all your programs" dialogue that informed me Windows had to shut down, then after a 60-second timer Windows rebooted. I got informed of two stop errors caused by device drivers. The svchost.exe file did not immediately return. I then used Killbox to delete the entire C:\autoback directory, svchest.exe (and svchest.reg) from the System subdirectory, and verified that there was still no C:\Program.exe to delete. While I was at it, I had Killbox delete C:\Program Files\NetMeeting\Down(0).exe, which had also reappeared. I then had HJT "fix" the three files (plus the 04 for SCVHOST.exe). I then ran HJT again; here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 7:15:08 AM, on 11/28/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Earlier, I was running Trend Micro's Housecall on another computer, browsing down to the page, and was offered the choice of running an ActiveX version instead of the Java version. So I ran Housecall, but the results were in a browser window that was lost when my computer rebooted upon deleting svchost.exe. I am running it again and will post the results here.
(MS06-064) Vulernabilities in TCP/IP IPv6 Could Allow Denial of Service (922819). Microsoft
(MS06-065) Vulernability in Windows Object Packager Could Allow Remote Code Execution (924496)
(MS06-068) Vulernability in Microsoft Agent Could Allow Remote Code Execution (920213)
(MS06-070) Vulernability in Workstation Service Could Allow Remote Code Execution (924270)
I clicked "Clean now," which I understand should have cleaned the BKDR_NSPM.AL.
I ran HJT and "Fixed" the two O23's again (the O24's were not present), then ran it again; the O23's are still present:
Logfile of HijackThis v1.99.1
Scan saved at 7:28:55 PM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
In the process I noticed that I copied the HJT log from the wrong location in the post above, so that is several days old. This log overwrote the one that I should have posted in the post above.
As I write this, Internet Explorer (which I'd used to run HouseCall's ActiveX version) popping up windows to hijacked locations. Here's another HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:37:46 PM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
I haven't read the whole thread, but please do the following...
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program. _________________________________
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido. AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Don't run a scan yet; we will later! _________________________________
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.
- Close ALL open windows(especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis _________________________________
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
_________________________________
Make sure you can view hidden files and folders:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine(1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.
I installed, manually updated, and configured AVG Anti-Spyware as directed.
I created and ran FixServices.bat.
I ran HijackThis, but as neither of the specified O23 entries were present (yay!) I could not fix them.
I shut down my computer. (Before shutting down, it displayed a "Preparing updates for installation..." message.)
I started Windows in Safe Mode.
Neither C:\WINDOWS\System\svchest.exe nor C:\Program.exe were found, so I could not delete them.
I set the settings as directed in AVG Anti-Spyware and initiated a Complete System Scan. TrackingCookies cannot be set to "Quarantine," so were set to "Delete" instead. Actions applied and report saved.
I re-booted in Normal mode.
AVG Anti-Spyware - Scan Report
+ Created at: 9:51:11 PM 12/9/2006
+ Scan result:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-507921405-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\NetMeeting\msmsgs -> Backdoor.Hupigon.cpb : Cleaned with backup (quarantined).
C:\!KillBox\autoback\IISActivebox.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP3\A0002035.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006193.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006197.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006221.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006226.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\WINDOWS\Help\svchost.exe -> Logger.Fearless.20 : Cleaned with backup (quarantined).
C:\WINDOWS\Config\term.exe -> Logger.VB.oh : Cleaned with backup (quarantined).
C:\WINDOWS\system\gm.exe -> Logger.VB.oh : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.11:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.24:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.6:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.7:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.9:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Carole\Cookies\carole@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.22:C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 9:55:34 PM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
I don't see any indication of a Firewall in your HijackThis log. This may be because:
(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.
In the case you don't have a Firewall, please download one from the list below - They are Free!
1. Download this file to your Desktop - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Logfile of HijackThis v1.99.1
Scan saved at 1:57:49 AM, on 12/10/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Comments
Logfile of HijackThis v1.99.1
Scan saved at 7:08:12 AM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Fix those entries and post a new log.
I have repeatedly "fixed" those three entries, to no avail. The two O23 entries just won't go away, even though the files they reference were deleted long ago (even when the files haven't returned). The 04 entry will go away, but after a short while the subdirectory appears again and it again shows up in HJT.
When I went to delete the C:\autoback\svchost.exe file this time, I used Killbox instead of Windows Explorer. That prompted a "please shutdown all your programs" dialogue that informed me Windows had to shut down, then after a 60-second timer Windows rebooted. I got informed of two stop errors caused by device drivers. The svchost.exe file did not immediately return. I then used Killbox to delete the entire C:\autoback directory, svchest.exe (and svchest.reg) from the System subdirectory, and verified that there was still no C:\Program.exe to delete. While I was at it, I had Killbox delete C:\Program Files\NetMeeting\Down(0).exe, which had also reappeared. I then had HJT "fix" the three files (plus the 04 for SCVHOST.exe). I then ran HJT again; here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 7:15:08 AM, on 11/28/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\idwlog.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Earlier, I was running Trend Micro's Housecall on another computer, browsing down to the page, and was offered the choice of running an ActiveX version instead of the Java version. So I ran Housecall, but the results were in a browser window that was lost when my computer rebooted upon deleting svchost.exe. I am running it again and will post the results here.
BKDR_NSPM.AL
svchest.exe files found in KillBox and Recycler subdirectories
C:\Windows\SCVHOST.EXE
Vulernabilities detected; errors occured while HouseCall was trying to retrieve more information. No more information available
MS04-038 MS05-012 MS05-025 MS05-039
MS04-043 MS05-013 MS05-026 MS05-040
MS04-044 MS05-014 MS05-027 MS05-041
MS05-001 MS05-015 MS05-032 MS05-042
MS05-007 MS05-016 MS05-033 MS05-043
MS05-008 MS05-018 MS05-036 MS05-045
MS05-009 MS05-019 MS05-037 MS05-046
MS05-011 MS05-020 MS05-038 MS05-047
MS05-048 MS06-006 MS06-030 MS06-051
MS05-049 MS06-007 MS06-032 MS06-052
MS05-050 MS06-013 MS06-035 MS06-053
MS05-051 MS06-014 MS06-036 MS06-055
MS05-052 MS06-015 MS06-040 MS06-057
MS05-053 MS06-018 MS06-041 MS06-061
MS05-054 MS06-021 MS06-042 MS06-063
MS06-001 MS06-022 MS06-045 MS06-066
MS06-002 MS06-023 MS06-046 MS06-067
MS06-005 MS06-025 MS06-050
(MS06-064) Vulernabilities in TCP/IP IPv6 Could Allow Denial of Service (922819). Microsoft
(MS06-065) Vulernability in Windows Object Packager Could Allow Remote Code Execution (924496)
(MS06-068) Vulernability in Microsoft Agent Could Allow Remote Code Execution (920213)
(MS06-070) Vulernability in Workstation Service Could Allow Remote Code Execution (924270)
I clicked "Clean now," which I understand should have cleaned the BKDR_NSPM.AL.
I ran HJT and "Fixed" the two O23's again (the O24's were not present), then ran it again; the O23's are still present:
Logfile of HijackThis v1.99.1
Scan saved at 7:28:55 PM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
In the process I noticed that I copied the HJT log from the wrong location in the post above, so that is several days old. This log overwrote the one that I should have posted in the post above.
As I write this, Internet Explorer (which I'd used to run HouseCall's ActiveX version) popping up windows to hijacked locations. Here's another HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:37:46 PM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
I'm leaving the computer running for now...
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.
_________________________________
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Don't run a scan yet; we will later!
_________________________________
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop. Double click FixServices.bat. A window will open and close. This is normal.
_________________________________
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
_________________________________
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
_________________________________Make sure you can view hidden files and folders:
Find and Delete the following in RED, if present:
C:\WINDOWS\system\svchest.exe
C:\Program.exe
_________________________________
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
I installed, manually updated, and configured AVG Anti-Spyware as directed.
I created and ran FixServices.bat.
I ran HijackThis, but as neither of the specified O23 entries were present (yay!) I could not fix them.
I shut down my computer. (Before shutting down, it displayed a "Preparing updates for installation..." message.)
I started Windows in Safe Mode.
Neither C:\WINDOWS\System\svchest.exe nor C:\Program.exe were found, so I could not delete them.
I set the settings as directed in AVG Anti-Spyware and initiated a Complete System Scan. TrackingCookies cannot be set to "Quarantine," so were set to "Delete" instead. Actions applied and report saved.
I re-booted in Normal mode.
AVG Anti-Spyware - Scan Report
+ Created at: 9:51:11 PM 12/9/2006
+ Scan result:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-507921405-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\NetMeeting\msmsgs -> Backdoor.Hupigon.cpb : Cleaned with backup (quarantined).
C:\!KillBox\autoback\IISActivebox.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP3\A0002035.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006193.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006197.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006221.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BD694B9E-6362-4990-89FD-EF4A6BCF77E8}\RP7\A0006226.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\WINDOWS\Help\svchost.exe -> Logger.Fearless.20 : Cleaned with backup (quarantined).
C:\WINDOWS\Config\term.exe -> Logger.VB.oh : Cleaned with backup (quarantined).
C:\WINDOWS\system\gm.exe -> Logger.VB.oh : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.11:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.24:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.6:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.7:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.9:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\chjtjust.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Carole\Cookies\carole@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.22:C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 9:55:34 PM, on 12/9/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\idwlog.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
I don't see any indication of a Firewall in your HijackThis log. This may be because:
(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.
In the case you don't have a Firewall, please download one from the list below - They are Free!
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall
_____________________________
1. Download this file to your Desktop - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Carole - 06-12-10 0:14:20.50 Service Pack 2, v.2082
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Carole\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))
2006-12-09 20:43 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-09 07:49 76,560 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-09 07:20 <DIR> d
C:\Documents and Settings\Carole\.housecall6.6
2006-12-06 17:21 <DIR> d
C:\WINDOWS\system32\ActiveScan
2006-12-04 12:07 <DIR> d
C:\!KillBox
2006-12-02 16:14 <DIR> d
C:\Virus
2006-11-30 14:47 <DIR> d
C:\Documents and Settings\Carole\Application Data\Talkback
2006-11-30 14:47 <DIR> d
C:\Documents and Settings\Carole\Application Data\Mozilla
2006-11-30 14:46 <DIR> d
C:\Program Files\Mozilla Firefox
2006-11-23 14:49 <DIR> d
C:\WINDOWS\CSC
2006-11-22 18:57 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2006-11-22 18:57 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-22 18:30 <DIR> d
C:\Program Files\hijackthis
2006-11-20 10:12 <DIR> dr-h
C:\$VAULT$.AVG
2006-11-16 21:29 <DIR> d
C:\Program Files\Lavasoft
2006-11-16 21:29 <DIR> d
C:\Documents and Settings\Carole\Application Data\Lavasoft
2006-11-16 21:23 <DIR> d
C:\WINDOWS\Minidump
2006-11-16 21:18 <DIR> d
C:\temp
2006-11-14 23:05 98,304 --a
C:\WINDOWS\system\cscript.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-09 21:54
d
C:\Documents and Settings\Carole\Application Data\CE
2006-12-09 20:43
d
C:\Program Files\Grisoft
2006-12-09 18:34
d
C:\Program Files\NetMeeting
2006-12-09 07:49
d
C:\Program Files\Internet Explorer
2006-12-08 23:57
d
C:\Program Files\QuickenW
2006-12-08 23:54
d
C:\Program Files\Google
2006-12-08 23:53
d
C:\Program Files\CE
2006-11-04 15:00
d---s---- C:\Documents and Settings\Carole\Application Data\Microsoft
2006-10-26 11:49
d--h
C:\Program Files\InstallShield Installation Information
2006-10-21 18:51
d
C:\Documents and Settings\Carole\Application Data\Help
2006-10-21 18:39
d
C:\Program Files\KODAK
2006-10-21 18:38
d
C:\Program Files\CASIO
2006-10-21 18:37
d
C:\Program Files\Common Files\InstallShield
2006-10-21 18:37
d
C:\Program Files\Common Files
2006-10-20 17:03
d
C:\Documents and Settings\Carole\Application Data\Google
2006-10-14 23:56
d
C:\Program Files\Common Files\SpeechEngines
2006-10-14 23:56
d
C:\Program Files\Common Files\ODBC
2006-10-14 23:55 62 --ahs---- C:\Documents and Settings\Carole\Application Data\desktop.ini
2006-10-14 20:23
d
C:\Documents and Settings\Carole\Application Data\Macromedia
2006-10-14 19:54
d
C:\Program Files\Intuit
2006-10-14 19:32
d
C:\Program Files\OfficeUpdate11
2006-10-14 19:27
d
C:\Program Files\Common Files\Microsoft Shared
2006-10-14 19:06
d
C:\Program Files\Microsoft.NET
2006-10-14 19:05
d
C:\Program Files\Microsoft Office
2006-10-14 19:05
d
C:\Program Files\Microsoft ActiveSync
2006-10-14 19:05
d
C:\Program Files\Common Files\System
2006-10-14 19:05
d
C:\Program Files\Common Files\DESIGNER
2006-10-14 18:40 778656 --a
C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-14 18:38 499712 --a
C:\WINDOWS\system32\msvcp71.dll
2006-10-14 18:38 4992 --a
C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-14 18:38 4288 --a
C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-14 18:38 348160 --a
C:\WINDOWS\system32\msvcr71.dll
2006-10-14 18:38 27904 --a
C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-14 18:38 23424 --a
C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-14 18:38
d
C:\Documents and Settings\Carole\Application Data\AVG7
2006-10-14 16:26
d--h
C:\Program Files\Uninstall Information
2006-10-14 16:26
d
C:\Documents and Settings\Carole\Application Data\Identities
2006-10-14 16:10
d
C:\Program Files\xerox
2006-10-14 16:10
d
C:\Program Files\microsoft frontpage
2006-10-14 16:09 0 -rahs---- C:\MSDOS.SYS
2006-10-14 16:09 0 -rahs---- C:\IO.SYS
2006-10-14 16:09 0 --a
C:\CONFIG.SYS
2006-10-14 16:09 0 --a
C:\AUTOEXEC.BAT
2006-10-14 16:09
d
C:\Program Files\Windows Media Player
2006-10-14 16:08
d
C:\Program Files\Online Services
2006-10-14 16:07
d
C:\Program Files\Outlook Express
2006-10-14 16:07
d
C:\Program Files\Movie Maker
2006-10-14 16:07
d
C:\Program Files\Common Files\Services
2006-10-14 16:06
d
C:\Program Files\Common Files\MSSoap
2006-10-14 16:05
d--h
C:\Program Files\WindowsUpdate
2006-10-14 16:05
d
C:\Program Files\Messenger
2006-10-14 16:05
d
C:\Program Files\ComPlus Applications
2006-10-14 16:04
d
C:\Program Files\Windows NT
2006-10-14 16:04
d
C:\Program Files\MSN Gaming Zone
2006-10-14 16:03
d
C:\Program Files\MSN
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NMSVC"="C:\\Program Files\\CE\\nmSvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Www.LookSoft.Net.exe"="C:\\WINDOWS\\system32\\Www.LookSoft.Net.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Www.LookSoft.Net.exe"="C:\\WINDOWS\\system32\\Www.LookSoft.Net.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-12-10 0:14:43.04
C:\ComboFix.txt ... 06-12-10 00:14
Backup Your Registry with ERUNT
http://aumha.org/freeware/freeware.php
Use the setup program to install ERUNT on your computer
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
______________________________
Open Notepad
Copy and paste the following into Notepad
Note: currentversion has been bolded because the forum software creates a space in the letters which will cause the fix to fail
Go to File > Save as
Save File Name as "fix.reg" (including quotes)
Save it to your Desktop and close Notepad
Double-click on the fix.reg file on your Desktop. Click YES/OK when it asks if you want to merge the info to the registry
Next, find and delete the following file, if present:
C:\WINDOWS\system32\Www.LookSoft.Net.exe
Reboot your computer!
Run ComboFix again and post the new log it will produce, along with a new HijackThis log.
Let me know how things are.
Registry backed up with ERUNT.
Fix.reg created and merged into registry.
C:\WINDOWS\system32\Www.LookSoft.Net.exe not found, so not deleted.
Computer rebooted.
Carole - 06-12-10 1:56:36.09 Service Pack 2, v.2082
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Carole\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))
2006-12-10 01:48 <DIR> d
C:\Program Files\ERUNT
2006-12-09 20:43 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-09 07:49 76,560 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-09 07:20 <DIR> d
C:\Documents and Settings\Carole\.housecall6.6
2006-12-06 17:21 <DIR> d
C:\WINDOWS\system32\ActiveScan
2006-12-04 12:07 <DIR> d
C:\!KillBox
2006-12-02 16:14 <DIR> d
C:\Virus
2006-11-30 14:47 <DIR> d
C:\Documents and Settings\Carole\Application Data\Talkback
2006-11-30 14:47 <DIR> d
C:\Documents and Settings\Carole\Application Data\Mozilla
2006-11-30 14:46 <DIR> d
C:\Program Files\Mozilla Firefox
2006-11-23 14:49 <DIR> d
C:\WINDOWS\CSC
2006-11-22 18:57 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2006-11-22 18:57 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-22 18:30 <DIR> d
C:\Program Files\hijackthis
2006-11-20 10:12 <DIR> dr-h
C:\$VAULT$.AVG
2006-11-16 21:29 <DIR> d
C:\Program Files\Lavasoft
2006-11-16 21:29 <DIR> d
C:\Documents and Settings\Carole\Application Data\Lavasoft
2006-11-16 21:23 <DIR> d
C:\WINDOWS\Minidump
2006-11-16 21:18 <DIR> d
C:\temp
2006-11-14 23:05 98,304 --a
C:\WINDOWS\system\cscript.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-10 01:55
d
C:\Documents and Settings\Carole\Application Data\CE
2006-12-09 20:43
d
C:\Program Files\Grisoft
2006-12-09 18:34
d
C:\Program Files\NetMeeting
2006-12-09 07:49
d
C:\Program Files\Internet Explorer
2006-12-08 23:57
d
C:\Program Files\QuickenW
2006-12-08 23:54
d
C:\Program Files\Google
2006-12-08 23:53
d
C:\Program Files\CE
2006-11-04 15:00
d---s---- C:\Documents and Settings\Carole\Application Data\Microsoft
2006-10-26 11:49
d--h
C:\Program Files\InstallShield Installation Information
2006-10-21 18:51
d
C:\Documents and Settings\Carole\Application Data\Help
2006-10-21 18:39
d
C:\Program Files\KODAK
2006-10-21 18:38
d
C:\Program Files\CASIO
2006-10-21 18:37
d
C:\Program Files\Common Files\InstallShield
2006-10-21 18:37
d
C:\Program Files\Common Files
2006-10-20 17:03
d
C:\Documents and Settings\Carole\Application Data\Google
2006-10-14 23:56
d
C:\Program Files\Common Files\SpeechEngines
2006-10-14 23:56
d
C:\Program Files\Common Files\ODBC
2006-10-14 23:55 62 --ahs---- C:\Documents and Settings\Carole\Application Data\desktop.ini
2006-10-14 20:23
d
C:\Documents and Settings\Carole\Application Data\Macromedia
2006-10-14 19:54
d
C:\Program Files\Intuit
2006-10-14 19:32
d
C:\Program Files\OfficeUpdate11
2006-10-14 19:27
d
C:\Program Files\Common Files\Microsoft Shared
2006-10-14 19:06
d
C:\Program Files\Microsoft.NET
2006-10-14 19:05
d
C:\Program Files\Microsoft Office
2006-10-14 19:05
d
C:\Program Files\Microsoft ActiveSync
2006-10-14 19:05
d
C:\Program Files\Common Files\System
2006-10-14 19:05
d
C:\Program Files\Common Files\DESIGNER
2006-10-14 18:40 778656 --a
C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-14 18:38 499712 --a
C:\WINDOWS\system32\msvcp71.dll
2006-10-14 18:38 4992 --a
C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-14 18:38 4288 --a
C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-14 18:38 348160 --a
C:\WINDOWS\system32\msvcr71.dll
2006-10-14 18:38 27904 --a
C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-14 18:38 23424 --a
C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-14 18:38
d
C:\Documents and Settings\Carole\Application Data\AVG7
2006-10-14 16:26
d--h
C:\Program Files\Uninstall Information
2006-10-14 16:26
d
C:\Documents and Settings\Carole\Application Data\Identities
2006-10-14 16:10
d
C:\Program Files\xerox
2006-10-14 16:10
d
C:\Program Files\microsoft frontpage
2006-10-14 16:09 0 -rahs---- C:\MSDOS.SYS
2006-10-14 16:09 0 -rahs---- C:\IO.SYS
2006-10-14 16:09 0 --a
C:\CONFIG.SYS
2006-10-14 16:09 0 --a
C:\AUTOEXEC.BAT
2006-10-14 16:09
d
C:\Program Files\Windows Media Player
2006-10-14 16:08
d
C:\Program Files\Online Services
2006-10-14 16:07
d
C:\Program Files\Outlook Express
2006-10-14 16:07
d
C:\Program Files\Movie Maker
2006-10-14 16:07
d
C:\Program Files\Common Files\Services
2006-10-14 16:06
d
C:\Program Files\Common Files\MSSoap
2006-10-14 16:05
d--h
C:\Program Files\WindowsUpdate
2006-10-14 16:05
d
C:\Program Files\Messenger
2006-10-14 16:05
d
C:\Program Files\ComPlus Applications
2006-10-14 16:04
d
C:\Program Files\Windows NT
2006-10-14 16:04
d
C:\Program Files\MSN Gaming Zone
2006-10-14 16:03
d
C:\Program Files\MSN
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NMSVC"="C:\\Program Files\\CE\\nmSvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-12-10 1:57:01.31
C:\ComboFix.txt ... 06-12-10 01:57
C:\ComboFix2.txt ... 06-12-10 00:14
Logfile of HijackThis v1.99.1
Scan saved at 1:57:49 AM, on 12/10/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\idwlog.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Let me know if we can mark this resolved?
This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead
Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available at this link:
http://www.short-media.com/forum/showthread.php?t=29803