Tech Support Forum - View Single Post

boyster70 · 12-02-2007, 01:07 PM

Here is when it happens and what happens. Every time I open IE7, or I open a new tab in IE7, or at a random time interval with IE7 open, a new IE7 window opens. I have noticed that there is and pattern to the web sites.

I have Free AVG Anti-virus and Free AVG Anti-Spyware installed and running. I also ran the AVG-Rootkit. All three installed after getting what ever I got. I have run all three programs until they come back clean with no change in IE7.

I have also run Kaspersky online scanner and removed a bunch of files tagged as infected.

I also created a new user to verify that it was not a corrupt user profile. It is not, both profiles have the same issue.

I followed the 5 steps and here is the log file from Deckard’s System Scan. Plus I have the Panda scan file if needed.

I would like to thank you in advance for your help and your time. It is greatly appreciated.

Thanks, again.

Boyster70

Deckard's System Scanner v20071014.68
Run by Titan on 2007-12-02 01:29:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
36: 2007-12-02 09:30:06 UTC - RP94 - Deckard's System Scanner Restore Point
35: 2007-12-02 09:25:23 UTC - RP93 - Software Distribution Service 3.0
34: 2007-12-02 08:19:17 UTC - RP92 - Software Distribution Service 3.0
33: 2007-12-02 07:52:37 UTC - RP91 - Software Distribution Service 3.0
32: 2007-12-01 23:48:15 UTC - RP90 - System Checkpoint

-- First Restore Point --
1: 2007-09-05 18:24:49 UTC - RP59 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).

-- HijackThis (run as Titan.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-02 01:30:56
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\my computer friend\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nyufinfh.exe /service
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6017 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Titan\MYDOCU~1\backups\) --------------

backup-20070715-161046-100 O2 - BHO: (no name) - {C595E361-ACB1-403B-911E-165DC0D2232A} - C:\WINDOWS\system32\geefd.dll (file missing)
backup-20070715-161046-142 O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxywu.dll
backup-20070715-161046-491 O2 - BHO: (no name) - {E47B3B73-98AE-4AF2-AAB6-7C5DBF88F5AE} - C:\Program Files\NetMeeting\mezojekis83122.dll
backup-20070715-161047-282 O20 - Winlogon Notify: byxxywu - C:\WINDOWS\SYSTEM32\byxxywu.dll
backup-20070715-161047-306 O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
backup-20070715-161047-457 O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinrndt.exe
backup-20070715-161052-187 O20 - Winlogon Notify: geefd - C:\WINDOWS\system32\geefd.dll (file missing)
backup-20070715-161055-701 O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nfnpakc.exe (file missing)
backup-20070715-162252-210 O20 - Winlogon Notify: byxxywu - C:\WINDOWS\SYSTEM32\byxxywu.dll
backup-20070715-162252-221 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinrndt.exe SKY009
backup-20070715-162252-396 O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinrndt.exe
backup-20070715-162252-865 O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxywu.dll
backup-20071201-161230-114 O2 - BHO: (no name) - {CCB789C3-2FDF-415F-9827-17D55A1B8714} - C:\WINDOWS\system32\pmnkk.dll (file missing)
backup-20071201-161230-324 O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxywu.dll (file missing)
backup-20071201-161230-334 O2 - BHO: (no name) - {9C405BD7-2FD7-4CA6-B732-53774D045530} - C:\WINDOWS\system32\khffc.dll (file missing)
backup-20071201-161230-474 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20071201-161230-509 O2 - BHO: 0 - {CFAEF611-3B70-41B3-5AB4-7060AF691B05} - C:\Program Files\Internet Explorer\qulac236.dll (file missing)
backup-20071201-161230-824 O2 - BHO: (no name) - {3CB3E5E7-92A9-4764-BCA0-9F726F1ED17E} - C:\WINDOWS\system32\yabbb.dll (file missing)
backup-20071201-161231-785 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20071201-161232-569 O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll (file missing)
backup-20071201-161232-762 O20 - Winlogon Notify: yabbb - C:\WINDOWS\system32\yabbb.dll (file missing)
backup-20071201-161232-808 O20 - Winlogon Notify: khffc - C:\WINDOWS\system32\khffc.dll (file missing)
backup-20071201-161232-904 O20 - Winlogon Notify: byxxywu - byxxywu.dll (file missing)
backup-20071201-161355-174 O2 - BHO: {75a062a6-181f-24b8-8474-897170201fb0} - {0bf10207-1798-4748-8b42-f1816a260a57} - C:\WINDOWS\system32\ihjssobs.dll (file missing)
backup-20071201-190858-183 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20071201-190859-793 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 core - c:\windows\system32\drivers\core.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S4 DomainService - c:\windows\system32\nyufinfh.exe /service (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2007-11-02 and 2007-12-02 -----------------------------

2007-12-02 01:25:42 0 d-------- C:\Program Files\CONEXANT
2007-12-02 01:25:38 0 d-------- C:\WINDOWS\LastGood
2007-12-02 00:26:41 0 d-------- C:\Program Files\MSXML 6.0
2007-12-01 23:35:23 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-12-01 23:29:36 0 d-------- C:\ie-spyad_zo
2007-12-01 22:16:21 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-01 20:04:17 0 d-------- C:\Documents and Settings\Titan\Application Data\Grisoft
2007-11-28 06:38:11 0 dr-h----- C:\$VAULT$.AVG
2007-11-27 23:37:15 0 d-------- C:\Documents and Settings\Titan\Application Data\AVG7
2007-11-27 23:36:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 23:34:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 23:34:57 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 23:30:10 0 d-------- C:\my computer friend
2007-11-27 21:20:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-27 21:20:41 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-20 23:59:29 0 d-------- C:\Program Files\Temporary
2007-11-20 23:46:43 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-11-20 23:41:24 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-20 23:26:18 0 d-------- C:\Documents and Settings\Titan\Incomplete
2007-11-20 23:24:23 0 d-------- C:\Documents and Settings\Titan\Application Data\LimeWire
2007-11-20 23:23:18 0 d-------- C:\Program Files\LimeWire
2007-11-20 17:43:03 164 --a------ C:\install.dat
2007-11-14 15:03:06 442685 ---hs---- C:\WINDOWS\system32\kknmp.ini2

-- Find3M Report ---------------------------------------------------------------

2007-12-01 22:54:23 0 d-------- C:\Program Files\Messenger
2007-12-01 22:53:20 0 d-------- C:\Program Files\iTunes
2007-12-01 13:08:12 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-30 05:59:36 8313 --a------ C:\WINDOWS\system32\nvModes.dat
2007-11-29 10:16:25 0 d-------- C:\Program Files\ISM
2007-11-28 07:04:10 0 d-------- C:\Program Files\Common Files
2007-11-27 23:25:01 440688 --ahs---- C:\WINDOWS\system32\kknmp.bak2
2007-11-21 14:29:09 440679 --ahs---- C:\WINDOWS\system32\kknmp.bak1

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [06/24/2003 04:32 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/27/2007 11:35 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 3:21:22 AM]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [5/17/2006 3:05:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"WebClient"=2 (0x2)
"DomainService"=2 (0x2)
"CryptSvc"=3 (0x3)

*Newly Created Service* - MDMXSDK

-- End of Deckard's System Scanner: finished at 2007-12-02 01:32:34 ------------