MS Windows XP will not load when connected to internet - Page 7

Ried · 04-04-2007, 12:20 AM

If you find that snm.exe--don't delete it just yet. I'd like to upload it for review.

Also, take a look in that i folder. Are the contents the same as before?

Quote:

open 130.13.166.123 27067
user 1 1
get setup_01505.exe
quit

Ried · 04-04-2007, 12:25 AM

We cross-posted.

Ignore my remark about snm.exe since it's not there. What about the i folder in C:\Windows\System32...is it still there and what are it's contents?

cul8rman · 04-04-2007, 08:12 AM

I tried to open the i file using notepad last night and my system was locking up when I used the dropdown to get to the C: drive header. I ran out of time and will post it tonight so you can see exactly what is in it. I also had trouble with IE not opening but figured that can be fixed once the other issues are eliminated.

cul8rman · 04-04-2007, 07:02 PM

It is there, but not the same

open 130.13.213.0 14961
user 1 1
get setup_66337.exe
quit

I also found 5 files of setup_#####.exe that were just recently created. The only thing I think I ran the past two days was IE and HJT. Is it possible that the bug is in one of these files? Is there something out there that can log everything the system does from start up to a given point?

I tried running HJT and opening IE and there are no additional set up files.

Ried · 04-04-2007, 07:17 PM

Hi,

No, it's not the tools. What those contents are saying is that everytime you get online, it calls to that IP--and that is the where those setup_*** files are coming from. As quickly as we delete that folder, it's put back on your system. We need to find what placing that folder there.

The odd part of all this is that the IP resolves to your IP, Qwest. Qwest is quite a reliable IP so it doesn't make sense. I have a couple of theories, so I'd like to rule one of them out.

Please download and run FindAWF

When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

cul8rman · 04-04-2007, 08:20 PM

Theory 1 does not look promising - unless no news is good news.

Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

Done.

Ried · 04-04-2007, 08:24 PM

In this case, I was hoping see something there. Please give me some time to consult with my colleagues on this. I'll reply as soon as possible.

Ried · 04-04-2007, 08:27 PM

One other thing..please run a scan on Molly's account with SREng and dss.exe once again. Post those logs here.

cul8rman · 04-04-2007, 10:03 PM

SREng log

Code:

2007-04-04,19:57:46

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 1 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>  [(Verified)Microsoft Corporation]
    <Microsoft Works Update Detection><c:\Program Files\Microsoft Works\WkDetect.exe>  [Microsoft® Corporation]
    <swg><C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe>  [(Verified)Google Inc]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [N/A]
    <SSC_UserPrompt><C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe>  [(Verified)Symantec Corporation]
    <Ulead AutoDetector><C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe>  [Ulead Systems, Inc.]
    <HPDJ Taskbar Utility><C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <HP Component Manager><"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe">  [Hewlett-Packard Company]
    <HP Software Update><"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe">  [Hewlett-Packard Company]
    <QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime>  [N/A]
    <Picasa Media Detector><C:\Program Files\Picasa2\PicasaMediaDetector.exe>  [Google Inc.]
    <iTunesHelper><"C:\Program Files\iTunes\iTunesHelper.exe">  [Apple Computer, Inc.]
    <AVG7_CC><C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP>  [GRISOFT, s.r.o.]
    <OFFICEKB><C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE>  []
    <FLMOFFICE4DMOUSE><C:\Program Files\Micro Innovations\Mouse\mouse32a.exe>  []
    <PC Pitstop Optimize Scheduler><C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot>  [(Verified)P.C. Pitstop LLC]
    <SunJavaUpdateSched><"C:\Program Files\Java\jre1.6.0\bin\jusched.exe">  [Sun Microsystems, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows XP Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [Anti-Malware Development a.s.]

==================================
Startup Folders
[Adobe Reader Speed Launch]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk --> C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [Adobe Systems Incorporated]><N>
[BigFix]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk --> C:\PROGRA~1\BigFix\BigFix.exe [BigFix Inc.]><N>
[Ulead Photo Express 4.0 SE Calendar Checker ]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk --> C:\PROGRA~1\ULEADS~1\ULEADP~1.0SE\CalCheck.exe [Ulead Systems, Inc.]><N>

==================================
Services
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
  <C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[AVG7 Alert Manager Server / Avg7Alrt][Running/Auto Start]
  <C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe><GRISOFT, s.r.o.>
[AVG7 Update Service / Avg7UpdSvc][Running/Auto Start]
  <C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe><GRISOFT, s.r.o.>
[AVG E-mail Scanner / AVGEMS][Running/Auto Start]
  <C:\PROGRA~1\Grisoft\AVG7\avgemc.exe><GRISOFT, s.r.o.>
[Google Updater Service / gusvc][Stopped/Manual Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[iPodService / iPodService][Running/Manual Start]
  <C:\Program Files\iPod\bin\iPodService.exe><Apple Computer, Inc.>
[SymWMI Service / SymWSC][Stopped/Auto Start]
  <"C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"><Symantec Corporation>
[WAN Miniport (ATW) Service / WANMiniportService][Running/Auto Start]
  <"C:\WINDOWS\wanmpsvc.exe"><America Online, Inc.>

==================================
Drivers
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
  <\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG7 Kernel / Avg7Core][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7core.sys><GRISOFT, s.r.o.>
[AVG7 Wrap Driver / Avg7RsW][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7rsw.sys><GRISOFT, s.r.o.>
[AVG7 Resident Driver XP / Avg7RsXP][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7rsxp.sys><GRISOFT, s.r.o.>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[AVG7 Clean Driver / AvgClean][Running/System Start]
  <\SystemRoot\System32\Drivers\avgclean.sys><GRISOFT, s.r.o.>
[AVG Network Redirector / AvgTdi][Running/Auto Start]
  <\SystemRoot\System32\Drivers\avgtdi.sys><GRISOFT, s.r.o.>
[Belarc SMBios Access / BANTExt][Running/System Start]
  <\SystemRoot\System32\Drivers\BANTExt.sys><N/A>
[DV 4100M(Video) / Ca536av][Stopped/Auto Start]
  <System32\Drivers\Ca536av.sys><Digital Camera>
[Agfa ePhoto CL18 Camera Stream Driver / DILUSBCamera][Stopped/Auto Start]
  <System32\DRIVERS\stream18.sys><Sound Vision Inc.>
[drvmcdb / drvmcdb][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\drvmcdb.sys><Sonic Solutions>
[GEARAspiWDM / GEARAspiWDM][Running/Manual Start]
  <System32\Drivers\GEARAspiWDM.sys><GEAR Software Inc.>
[gmer / gmer][Stopped/Manual Start]
  <System32\DRIVERS\gmer.sys><GMER>
[HSFHWBS2 / HSFHWBS2][Running/Manual Start]
  <System32\DRIVERS\HSFHWBS2.sys><Conexant Systems>
[HSF_DP / HSF_DP][Running/Manual Start]
  <System32\DRIVERS\HSF_DP.sys><Conexant Systems>
[ialm / ialm][Running/Manual Start]
  <System32\DRIVERS\ialmnt5.sys><Intel Corporation>
[mdmxsdk / mdmxsdk][Running/Auto Start]
  <System32\DRIVERS\mdmxsdk.sys><Conexant>
[VSO Software pcouffin / pcouffin][Running/Manual Start]
  <System32\Drivers\pcouffin.sys><VSO Software>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver / rtl8139][Running/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Running/Auto Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[DV 4100M(Still) / USBCamera][Stopped/Manual Start]
  <System32\Drivers\Bulk536.sys><USB BULK>
[WAN Miniport (ATW) / wanatw][Running/Manual Start]
  <System32\DRIVERS\wanatw4.sys><America Online, Inc.>
[winachsf / winachsf][Running/Manual Start]
  <System32\DRIVERS\HSF_CNXT.sys><Conexant Systems>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <System32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Running/Manual Start]
  <system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Running/Manual Start]
  <system32\drivers\ialmkchw.sys><Intel Corporation>

==================================
Browser Add-ons
[Yahoo! Companion BHO]
  {02478D38-C3F9-4efb-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll, Yahoo! Inc.>
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[]
  {243B17DE-77C7-46BF-B94B-0B5F309A0E64} <C:\Program Files\Microsoft Money\System\mnyside.dll, Microsoft Corporation>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[SSVHelper Class]
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar3.dll, Google Inc.>
[EpsonToolBandKicker Class]
  {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} <C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll, SEIKO EPSON CORPORATION>
[Java Plug-in 1.6.0]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[ICQ]
  {6224f700-cba3-4071-b251-47cb894244cd} <C:\Program Files\ICQ\ICQ.exe, >
[Real.com]
  {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} <C:\WINDOWS\System32\Shdocvw.dll, Microsoft Corporation>
[]
  {E023F504-0C5A-4750-A1E7-A9046DEA8A21} <C:\Program Files\Microsoft Money\System\mnyside.dll, Microsoft Corporation>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\MSMSGS.EXE, Microsoft Corporation>
[EPSON Web-To-Page]
  {EE5D279F-081B-4404-994D-C6B60AAEBA6D} <C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll, SEIKO EPSON CORPORATION>
[Yahoo! Companion]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll, Yahoo! Inc.>
[&Radio]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, >
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar3.dll, Google Inc.>
[Support.com Configuration Class]
  {01113300-3E00-11D2-8470-0060089874ED} <C:\WINDOWS\Downloaded Program Files\tgctlcm.dll, N/A>
[QuickTime Object]
  {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[CKAVWebScan Object]
  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[iPIX ActiveX Control]
  {11260943-421B-11D0-8EAC-0000C07D88CF} <C:\WINDOWS\DOWNLO~1\ipixx.ocx, N/A>
[Shockwave ActiveX Control]
  {166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\system32\Macromed\Director\SwDir.dll, Macromedia, Inc.>
[SurferNETWORK Plugin]
  {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} <C:\WINDOWS\DOWNLO~1\SURFER~1.OCX, N/A>
[Autodesk MapGuide ActiveX Control]
  {62789780-B744-11D0-986B-00609731A21D} <C:\WINDOWS\Downloaded Program Files\MgAxCtrl.dll, N/A>
[Maid Control]
  {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} <C:\WINDOWS\DOWNLO~1\CMAIDCTL.OCX, N/A>
[Java Plug-in 1.6.0]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[ActiveScan Installer Class]
  {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} <C:\WINDOWS\Downloaded Program Files\asinst.dll, N/A>
[Java Plug-in 1.6.0]
  {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0]
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll, Sun Microsystems, Inc.>
[Live365Player Class]
  {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} <C:\WINDOWS\Downloaded Program Files\Play365.dll, N/A>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[TikGames Online Control]
  {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} <C:\WINDOWS\Downloaded Program Files\gpcontrol.dll, N/A>
[PopCapLoader Object]
  {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} <C:\WINDOWS\Downloaded Program Files\popcaploader.dll, N/A>
[&Google Search]
  <res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html, N/A>
[&Translate English Word]
  <res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html, N/A>
[Backward Links]
  <res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html, N/A>
[Cached Snapshot of Page]
  <res://c:\program files\google\GoogleToolbar1.dll/cmcache.html, N/A>
[Similar Pages]
  <res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html, N/A>
[Translate Page into English]
  <res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html, N/A>

==================================
Running Processes
[PID: 416][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 472][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1248][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
    [C:\Program Files\Micro Innovations\Mouse\MOUDL32A.DLL]  [, 4, 0, 0, 0]
    [C:\Program Files\Micro Innovations\Keyboard\KBDDL32A.DLL]  [, 4, 0, 0, 0]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [Anti-Malware Development a.s., 7, 5, 0, 47]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
[PID: 1532][C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe]  [Ulead Systems, Inc., 8.0.0.0]
    [C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\u32Comm.dll]  [Ulead Systems, Inc., 8.0.0.0]
[PID: 1552][C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe]  [HP, 2.323.0.0]
    [C:\WINDOWS\System32\spool\drivers\w32x86\3\HPZR3210.dll]  [HP, 2.323.0.0]
[PID: 1576][C:\Program Files\HP\hpcoretech\hpcmpmgr.exe]  [Hewlett-Packard Company, 2.1.1.0]
    [C:\Program Files\HP\hpcoretech\HPVCR70.dll]  [Microsoft Corporation, 7.00.9466.0]
    [C:\WINDOWS\System32\MSXML4.dll]  [Microsoft Corporation, 4.10.9404.0]
[PID: 1520][C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe]  [Hewlett-Packard Company, 3, 0, 38, 1]
[PID: 1852][C:\Program Files\Picasa2\PicasaMediaDetector.exe]  [Google Inc., 2.1.0]
[PID: 1860][C:\Program Files\iTunes\iTunesHelper.exe]  [Apple Computer, Inc., 6.0.1.3]
    [C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL]  [Apple Computer, Inc., 6.0.1.3]
    [C:\Program Files\iTunes\iTunesHelper.Resources\iTunesHelper.DLL]  [Apple Computer, Inc., 6.0.1.3]
[PID: 1028][C:\PROGRA~1\Grisoft\AVG7\avgcc.exe]  [GRISOFT, s.r.o., 7.5.0.438]
    [C:\PROGRA~1\Grisoft\AVG7\AvgTMgr.dll]  [GRISOFT, s.r.o., 7.5.0.430]
    [C:\PROGRA~1\Grisoft\AVG7\AvgCtrl.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [C:\WINDOWS\System32\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\System32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\WINDOWS\System32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\Grisoft\AVG7\AvgAbout.dll]  [GRISOFT, s.r.o., 7.5.0.434]
    [C:\PROGRA~1\Grisoft\AVG7\AvgTest.dll]  [GRISOFT, s.r.o., 7.5.0.443]
    [C:\PROGRA~1\Grisoft\AVG7\AvgTRes.dll]  [GRISOFT, s.r.o., 7.5.0.437]
    [C:\PROGRA~1\Grisoft\AVG7\AvgSet.dll]  [, ]
    [C:\PROGRA~1\Grisoft\AVG7\avglog.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [C:\Program Files\Grisoft\AVG7\avgcfg.dll]  [GRISOFT, s.r.o., 7.5.0.442]
    [C:\Program Files\Grisoft\AVG7\avgklib.dll]  [GRISOFT, s.r.o., 7.5.0.434]
    [C:\Program Files\Grisoft\AVG7\avglng.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [C:\Program Files\Grisoft\AVG7\AVGRES.DLL]  [N/A, ]
    [C:\Program Files\Grisoft\AVG7\avgcckrn.dll]  [GRISOFT, s.r.o., 7.5.0.445]
    [C:\Program Files\Grisoft\AVG7\avgvault.dll]  [GRISOFT, s.r.o., 7.5.0.439]
    [C:\Program Files\Grisoft\AVG7\avgrep.dll]  [GRISOFT, s.r.o., 7.5.0.407]
    [C:\Program Files\Grisoft\AVG7\avgunarc.dll]  [GRISOFT, s.r.o., 7.5.0.443]
    [C:\PROGRA~1\Grisoft\AVG7\avgemsui.dll]  [GRISOFT, s.r.o., 7.5.0.434]
    [C:\Program Files\Grisoft\AVG7\avgscan.dll]  [GRISOFT, s.r.o., 7.5.0.442]
    [C:\Program Files\Grisoft\AVG7\avgcore.dll]  [GRISOFT, s.r.o., 7.5.0.444]
    [C:\Program Files\Micro Innovations\Mouse\MOUDL32A.DLL]  [, 4, 0, 0, 0]
    [C:\Program Files\Grisoft\AVG7\avgamsps.dll]  [GRISOFT, s.r.o., 7.5.0.407]
    [C:\PROGRA~1\Grisoft\AVG7\avgemcps.dll]  [GRISOFT, s.r.o., 7.5.0.420]
    [C:\Program Files\Grisoft\AVG7\avgf.dll]  [N/A, ]
[PID: 1608][C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE]  [, 4.0.0.0]
    [C:\Program Files\Micro Innovations\Keyboard\KBDDL32A.DLL]  [, 4, 0, 0, 0]
    [C:\Program Files\Micro Innovations\Keyboard\KBD32S.DLL]  [N/A, ]
    [C:\Program Files\Micro Innovations\Keyboard\KBD32G.DLL]  [N/A, ]
[PID: 1640][C:\Program Files\Micro Innovations\Mouse\mouse32a.exe]  [, 4.0.0.0]
    [C:\Program Files\Micro Innovations\Mouse\MOUDL32A.DLL]  [, 4, 0, 0, 0]
[PID: 2044][C:\Program Files\Java\jre1.6.0\bin\jusched.exe]  [Sun Microsystems, Inc., 6.0.0.105]
    [C:\Program Files\Java\jre1.6.0\bin\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[PID: 148][C:\Program Files\Messenger\msmsgs.exe]  [Microsoft Corporation, 4.7.2010]
    [C:\WINDOWS\System32\quartz.dll]  [, ]
    [C:\WINDOWS\System32\devenum.dll]  [, ]
    [C:\WINDOWS\System32\msdmo.dll]  [, ]
[PID: 304][C:\Program Files\BigFix\BigFix.exe]  [BigFix Inc., 1, 7, 6, 0]
    [C:\Program Files\BigFix\Lib\Engine.dll]  [BigFix, 1, 7, 6, 0]
    [C:\Program Files\BigFix\Lib\Inspectors\Inspect.dll]  [BigFix, 1, 7, 6, 0]
    [C:\Program Files\BigFix\PSAPI.DLL]  [Microsoft Corporation, 4.00]
[PID: 1948][C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe]  [Ulead Systems, Inc., 4, 0, 0, 0]
    [C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\u32Cfg.dll]  [Ulead Systems, Inc., 4, 0, 0, 0]
    [C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\u32sn.dll]  [Ulead Systems, Inc., 7.0.0.0]
    [C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\u32Prod.dll]  [Ulead Systems, Inc., 4.0]
    [C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\u32Comm.dll]  [Ulead Systems, Inc., 7.0.0.0]
    [C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalRemi.dll]  [Ulead Systems, Inc., 4, 0, 0, 0]
    [C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\PEBase.dll]  [Ulead Systems, Inc., 4, 0, 0, 0]
    [C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\ipeConst.dll]  [Ulead Systems, Inc., 4, 0, 0, 0]
[PID: 1288][C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe]  [Hewlett-Packard Company, 2.1.4]
    [C:\WINDOWS\System32\HPVAUT32.dll]  [Microsoft Corporation, 2.40.4517]
    [C:\WINDOWS\System32\HPVCP70.dll]  [Microsoft Corporation, 7.00.9466.0]
    [C:\WINDOWS\System32\HPVCR70.dll]  [Microsoft Corporation, 7.00.9466.0]
    [C:\Program Files\HP\hpcoretech\HPCmpMgr.dll]  [Hewlett-Packard Company, 2.1.4]
    [C:\WINDOWS\System32\MSXML4.dll]  [Microsoft Corporation, 4.10.9404.0]
    [C:\Program Files\HP\hpcoretech\comp\hpschedr.dll]  [Hewlett-Packard Company, 2.1.4]
[PID: 3352][C:\WINDOWS\system32\taskmgr.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 3772][C:\PROGRA~1\MOZILL~1\FIREFOX.EXE]  [Mozilla Corporation, 1.8.1.3: 2007030919]
    [C:\PROGRA~1\MOZILL~1\js3250.dll]  [Netscape Communications Corporation, 4.0]
    [C:\PROGRA~1\MOZILL~1\nspr4.dll]  [Netscape Communications Corporation, 4.6.5]
    [C:\PROGRA~1\MOZILL~1\xpcom_core.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [C:\PROGRA~1\MOZILL~1\plc4.dll]  [Netscape Communications Corporation, 4.6.5]
    [C:\PROGRA~1\MOZILL~1\plds4.dll]  [Netscape Communications Corporation, 4.6.5]
    [C:\PROGRA~1\MOZILL~1\smime3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [C:\PROGRA~1\MOZILL~1\nss3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [C:\PROGRA~1\MOZILL~1\softokn3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
    [C:\PROGRA~1\MOZILL~1\ssl3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [C:\PROGRA~1\MOZILL~1\xpcom_compat.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [C:\PROGRA~1\MOZILL~1\components\myspell.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [C:\PROGRA~1\MOZILL~1\components\jar50.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [C:\PROGRA~1\MOZILL~1\freebl3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
    [C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.62]
    [C:\PROGRA~1\MOZILL~1\components\spellchk.dll]  [Mozilla Foundation, 1.8.1.3: 2007030919]
    [C:\Program Files\Micro Innovations\Mouse\MOUDL32A.DLL]  [, 4, 0, 0, 0]
[PID: 3952][C:\Documents and Settings\Duane\Desktop\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [C:\Program Files\Micro Innovations\Mouse\MOUDL32A.DLL]  [, 4, 0, 0, 0]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]  
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

DSS main.txt

Deckard's System Scanner v20070318.32
Run by Duane on 2007-04-04 at 20:51:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Duane.exe) -----------------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-04-04 20:54:20
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.0.2800.1106)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\KBDAP32A.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Duane\Desktop\dss.exe
C:\Program Files\Hijack This\Duane.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra 'Tools' menuitem: (no name) - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker () - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon () - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo () - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack () - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers () - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess () - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage () - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice () - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish () - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire () - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker () - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\System32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: Google Updater Service (gusvc) - Google - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - "C:\WINDOWS\wanmpsvc.exe"

-- Files created between 2007-03-04 and 2007-04-04 -----------------------------

2007-04-04 19

59 62739 --a------ C:\WINDOWS\System32\setup_35814.exe<SEC3F2~1.EXE>
2007-04-04 17:44:12 62739 --a------ C:\WINDOWS\System32\setup_86040.exe<SEC8D5~1.EXE>
2007-04-03 22:15:22 62739 --a------ C:\WINDOWS\System32\setup_66337.exe<SETUP_~4.EXE>
2007-04-02 18:20:07 62739 --a------ C:\WINDOWS\System32\setup_00365.exe<SETUP_~3.EXE>
2007-04-01 21:30:54 62739 --a------ C:\WINDOWS\System32\setup_23750.exe<SETUP_~2.EXE>
2007-04-01 21:02:19 62739 --a------ C:\WINDOWS\System32\setup_23523.exe<SETUP_~1.EXE>
2007-04-01 14

52 69 --a------ C:\WINDOWS\System32\i
2007-03-31 07:36:01 109 --a------ C:\delete.reg
2007-03-31 07:25:13 0 d-------- C:\Documents and Settings\Cody\Application Data\WeatherBug<WEATHE~1>
2007-03-30 20:32:03 159 --a------ C:\FixServices.bat<FIXSER~1.BAT>
2007-03-27 20:55:16 0 d-------- C:\Documents and Settings\Molly\SmitfraudFix<SMITFR~1>
2007-03-27 18:56:48 0 d-------- C:\hijackthis<HIJACK~1>
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\WINDOWS
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\Application Data\Symantec
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\Application Data\InterTrust<INTERT~1>
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\Application Data\Adobe
2007-03-24 11:58:21 1048576 --ah----- C:\Documents and Settings\Master Account\NTUSER.DAT
2007-03-24 08:46:40 0 d-------- C:\WINDOWS\System32\Kaspersky Lab<KASPER~1>
2007-03-20 20:18:18 0 d-------- C:\avenger
2007-03-19 21:14:12 0 d--h----- C:\WINDOWS\PIF
2007-03-13 20:51:18 136 --a------ C:\WINDOWS\System32\dgjun.bat
2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe
2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe

-- Find3M Report ---------------------------------------------------------------

2007-04-04 20:51:21 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-04-01 10:33:26 3446 --a------ C:\WINDOWS\System32\tmp.reg
2007-03-31 09:07:16 0 d-------- C:\Program Files\Picasa2
2007-03-31 09:05:29 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-31 09:00:28 0 d-------- C:\Program Files\iTunes
2007-03-31 08:59:12 0 d-------- C:\Program Files\Google
2007-03-31 08:56:47 0 d-------- C:\Program Files\BigFix
2007-03-25 10:02:03 6469352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe<AVGAS-~1.EXE>
2007-03-21 22:56:19 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1>
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7
2007-02-21 21:42:31 129 --a------ C:\fix.bat
2007-02-21 18:24:56 0 d-------- C:\Program Files\backups
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log
2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys
2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf
2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat
2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat
2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll
2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-04-04 at 20:54:39 ---------

cul8rman · 04-04-2007, 10:30 PM

I was poking around the internet looking for system32\setup_###### and found reference to this : W32/Gaobot.worm!MS06-040 on McAfee's website.

I also found an automated cleaner on Trend Micro
http://www.trendmicro.com/vinfo/viru...2ECDM&VSect=Sn

cul8rman · 04-05-2007, 07:58 PM

I have something strange for you, the C:\windows\system32\setup_#####.exe files that were on the system yesterday are no longer there. I did not run any fixes or run the AV program, but they are gone, disappeared. I am wondering when they are going to poke their ugly heads back up.

The i file is still present.

Ried · 04-05-2007, 08:37 PM

That is odd indeed. Hang in there...we're working on it.

Ried · 04-05-2007, 11:06 PM

Hi cul8rman,

Boot into Safe Mode.

---------------------------------------------------------------

My apologies, I thought I had taken care of any of the January files earlier so in the subsequent logs, I was concentrating on new files being created.

Delete these files:

C:\WINDOWS\System32\vb2en16.dll
C:\WINDOWS\System32\helper.dll

---------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

---------------------------------------------------------------

Run a new scan with dss.exe on Molly's account and post the main.txt here as well.

**If the C:\windows\system32\i, or any of the setup_*****.exe files return after the above fix has been completed, please do the following:

Please download the Suspicious File Packer --> http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\windows\system32\ (enter whatever the new random setup_*****.exe is)
C:\windows\system32\i

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Next, please visit TheSpyKillers forum HERE

Read the first topic for instructions on uploading files then start a new Topic, title the thread Files for AndyManchesta, post a link to this thread and upload the requested files.cab archive from your desktop.

cul8rman · 04-05-2007, 11:15 PM

I was checking to see if the file had just hidden temporarily and tried logging back in. I got a blue screen so I ended up powering down manually. During the shutdown a window came up with duane.exe and it was in one of those ending program, saving files type windows. I brought the system back up and there was one case of the setup file. It seems that the file is written to disk when the system locks up and I manually do something. It has happend when using the X to close a locked up program and it has popped up when IE or task manager would not load. I have attached the duane.exe file if you needed it, it was a pf file type in the prefetch folder in Windows.

I had another thought, Geeksquad replaced the motherboard and Powersupply since the systme was still under warrenty. Is it possible that they did something so I would take it back for them to clean up?

Thanks, I appreciate the help and understand this is quite a hidden issue.

Ried · 04-05-2007, 11:33 PM

Hmmm...duane.exe should have the HijackThis icon with it as Deckard's System Scanner automatically renames HijackThis and creates an icon on the desktop.

Search your system for duane.exe and list any you find here for me, along with the date the file was created or modified.

No, I don't think geeksquad is responsible for this at all. This infection has been known, albeit rarely, to infect legit OS files and hide within. I'm hoping it's one of those files that I missed that is bringing it back.

cul8rman · 04-06-2007, 11:50 PM

The mischievous files did go away temporarily, but have returned. Here are the results you are looking for. I will proceed to the bottom section of the directions you gave me.

Report.txt

SDFix: Version 1.75

Run by Molly - Fri 04/06/2007 - 20:32:59.81

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\XIUEX.EXE - Deleted
C:\WINDOWS\msdtc.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_03471.exe - Deleted
C:\WINDOWS\system32\setup_23164.exe - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\Common Files\csshare\shell\us\shellext.dll
C:\My Games\Action Ball\actionball.exe
C:\My Games\Adventure Ball\AdventureBall.exe
C:\My Games\Aqua Pearls\pearls.exe
C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe
C:\My Games\Clash 'N Slash\Clash N Slash.exe
C:\My Games\Flying Leo\FlyingLeo.exe
C:\My Games\Icy Spell\IcySpell.exe
C:\My Games\Impact\Impact.exe
C:\My Games\Inspheration\Inspheration.exe
C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe
C:\My Games\Mirror Magic\mirrormagic.exe
C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe
C:\My Games\Phlinx to Go\PhlinxToGo.exe
C:\My Games\Rainbow Web\RainbowWeb.exe
C:\My Games\Snowy - Space Trip\SpaceTrip.exe
C:\My Games\Turtle Odyssey\Game.exe
C:\My Games\Wheel of Fortune\Wheel of Fortune.exe
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\CompuServe 7.0\csphx.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\CompuServe 7.0\RBM.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

main.txt

Deckard's System Scanner v20070318.32
Run by Molly on 2007-04-06 at 21:17:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Molly.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:17:43 PM, on 4/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Molly\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Molly.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Microsoft Windows Distributed Transaction Coordinator (Windows Distributed Transaction Process Coordinator) - Unknown owner - C:\WINDOWS\msdtc.exe (file missing)

-- Files created between 2007-03-06 and 2007-04-06 -----------------------------

2007-04-06 20:50:34 0 --a------ C:\WINDOWS\System32\setup_83375.exe<SETUP_~1.EXE>
2007-04-06 19:03:30 35328 --a------ C:\sib.exe
2007-04-06 18:48:16 2017 --a------ C:\tjfdf.exe
2007-04-06 18:48:03 48128 --a------ C:\bohxe.exe
2007-04-06 18:47:46 30720 --a------ C:\lcpift.exe
2007-04-04 21:35:01 0 d-------- C:\Documents and Settings\Duane\.housecall6.6<HOUSEC~1.6>
2007-04-04 21:30:09 0 d-------- C:\WINDOWS\Sun
2007-03-31 07:36:01 109 --a------ C:\delete.reg
2007-03-31 07:25:13 0 d-------- C:\Documents and Settings\Cody\Application Data\WeatherBug<WEATHE~1>
2007-03-30 20:32:03 159 --a------ C:\FixServices.bat<FIXSER~1.BAT>
2007-03-27 20:55:16 0 d-------- C:\Documents and Settings\Molly\SmitfraudFix<SMITFR~1>
2007-03-27 18:56:48 0 d-------- C:\hijackthis<HIJACK~1>
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\WINDOWS
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\Application Data\Symantec
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\Application Data\InterTrust<INTERT~1>
2007-03-24 11:58:22 0 d-------- C:\Documents and Settings\Master Account\Application Data\Adobe
2007-03-24 11:58:21 1048576 --ah----- C:\Documents and Settings\Master Account\NTUSER.DAT
2007-03-24 08:46:40 0 d-------- C:\WINDOWS\System32\Kaspersky Lab<KASPER~1>
2007-03-20 20:18:18 0 d-------- C:\avenger
2007-03-19 21:14:12 0 d--h----- C:\WINDOWS\PIF
2007-03-13 20:51:18 136 --a------ C:\WINDOWS\System32\dgjun.bat
2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe
2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe

-- Find3M Report ---------------------------------------------------------------

2007-04-06 21:17:42 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-04-06 19:03:43 0 d-------- C:\Documents and Settings\Molly\Application Data\WeatherBug<WEATHE~1>
2007-04-01 10:33:26 3446 --a------ C:\WINDOWS\System32\tmp.reg
2007-03-31 09:07:16 0 d-------- C:\Program Files\Picasa2
2007-03-31 09:05:29 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-31 09:00:28 0 d-------- C:\Program Files\iTunes
2007-03-31 08:59:12 0 d-------- C:\Program Files\Google
2007-03-31 08:56:47 0 d-------- C:\Program Files\BigFix
2007-03-25 10:02:03 6469352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe<AVGAS-~1.EXE>
2007-03-24 13:47:01 0 d-------- C:\Documents and Settings\Molly\Application Data\AVG7
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-21 21:42:31 129 --a------ C:\fix.bat
2007-02-21 18:24:56 0 d-------- C:\Program Files\backups
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Weather"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.exe 1"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-04-06 at 21:18:02 ---------

Quote:

Search your system for duane.exe and list any you find here for me, along with the date the file was created or modified.

DUANE.EXE-13AFDEC8.pf PF File 3/31/2007
setup_83375.exe Application 4/6/2007

END OF POST

cul8rman · 04-07-2007, 12:46 AM

I was having issues trying to upload the cab file for the other site. All the sudden AVG went nuts, here are a few of the threats that came up.

AVG Threat
C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\KRMHM32V\zwvvfftt[1].htm
Trojan horse proxy.MTR

C:\lcpift.exe
Trojan horse proxy.MTR

C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\zwvvfftt[2].htm
Trojan horse proxy.MTR

C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\iblybil[1]htm
Trojan horse proxy.MTR

C:\xiuex.exe
Trojan horse Downloader Generic 3ZIM

Ried · 04-07-2007, 09:24 AM

Were you able to upload that .cab file to SpyKillers Forum?

Did AVG quarantine or delete those files it alerted you to? If not, I'd like to try to find out more about them.

Upload each of these, (one at a time) to to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\KRMHM32V\zwvvfftt[1].htm
C:\lcpift.exe
C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\iblybil[1]htm
C:\xiuex.exe

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html

cul8rman · 04-07-2007, 07:00 PM

I will have to try later, the site took forever to upload, and when it did this is what it came up with, which is not correct. I can see these on the C drive using explorer and can open with Notepad, but the information does not mean anything to me. here is what came up in the uploads.

C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\KRMHM32V\zwvvfftt[1].htm
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\lcpift.exe
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\iblybil[1]htm
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

They are application files and are at least 2 KB in size. They also have the same date and time stamp on them, 4/7/2007. I have not done anything with them when the AVG Threat Detected window pops up because you said not to, they would be dealt with later. Do you want them moved to the virus vault?

Something else I noticed when I tried opening one of the potential trojan files using notepad, the wait window came up with rundll32.exe. I checked and there are 4 of those in the prefetch folder and they have the same modified date, 4/7/07. I am going to power down and back up and then try the last link you had for checking the files that AVG identified.

Thanks, stumped in AZ.

Ried · 04-07-2007, 07:28 PM

You edited while I was replying.

Load these 2 files to SpyKillers as well--

Paste the following list of filepaths into the Suspicious File Packer window:

C:\lcpift.exe
C:\xiuex.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site --> http://www.thespykiller.co.uk/index.php?board=1.0
Please include a link to this topic in the message.

After you upload those files to SpyKiller, don't let AVG fix them yet. Run a scan with SREng on Molly's account and post the log here.

04-04-2007, 12:25 AM	#122 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet We cross-posted. Ignore my remark about snm.exe since it's not there. What about the i folder in C:\Windows\System32...is it still there and what are it's contents? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-04-2007, 08:12 AM	#123 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet I tried to open the i file using notepad last night and my system was locking up when I used the dropdown to get to the C: drive header. I ran out of time and will post it tonight so you can see exactly what is in it. I also had trouble with IE not opening but figured that can be fixed once the other issues are eliminated.

04-04-2007, 07:02 PM	#124 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet It is there, but not the same open 130.13.213.0 14961 user 1 1 get setup_66337.exe quit I also found 5 files of setup_#####.exe that were just recently created. The only thing I think I ran the past two days was IE and HJT. Is it possible that the bug is in one of these files? Is there something out there that can log everything the system does from start up to a given point? I tried running HJT and opening IE and there are no additional set up files.

04-04-2007, 07:17 PM	#125 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Hi, No, it's not the tools. What those contents are saying is that everytime you get online, it calls to that IP--and that is the where those setup_* files are coming from. As quickly as we delete that folder, it's put back on your system. We need to find what placing that folder there. The odd part of all this is that the IP resolves to your IP, Qwest. Qwest is quite a reliable IP so it doesn't make sense. I have a couple of theories, so I'd like to rule one of them out. Please download and run FindAWF When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt** here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-04-2007, 08:20 PM	#126 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Theory 1 does not look promising - unless no news is good news. Find AWF report by noahdfear ©2006 bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report Done.

04-04-2007, 08:24 PM	#127 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet In this case, I was hoping see something there. Please give me some time to consult with my colleagues on this. I'll reply as soon as possible. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-04-2007, 08:27 PM	#128 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet One other thing..please run a scan on Molly's account with SREng and dss.exe once again. Post those logs here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-04-2007, 10:30 PM	#130 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet I was poking around the internet looking for system32\setup_###### and found reference to this : W32/Gaobot.worm!MS06-040 on McAfee's website. I also found an automated cleaner on Trend Micro http://www.trendmicro.com/vinfo/viru...2ECDM&VSect=Sn

04-05-2007, 07:58 PM	#131 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet I have something strange for you, the C:\windows\system32\setup_#####.exe files that were on the system yesterday are no longer there. I did not run any fixes or run the AV program, but they are gone, disappeared. I am wondering when they are going to poke their ugly heads back up. The i file is still present.

04-05-2007, 08:37 PM	#132 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet That is odd indeed. Hang in there...we're working on it. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-05-2007, 11:06 PM	#133 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Hi cul8rman, Boot into Safe Mode. --------------------------------------------------------------- My apologies, I thought I had taken care of any of the January files earlier so in the subsequent logs, I was concentrating on new files being created. Delete these files: C:\WINDOWS\System32\vb2en16.dll C:\WINDOWS\System32\helper.dll --------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply. --------------------------------------------------------------- Run a new scan with dss.exe on Molly's account and post the main.txt here as well. If the C:\windows\system32\i, or any of the setup_*.exe files return after the above fix has been completed, please do the following: Please download the Suspicious File Packer --> http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of filepaths into the Suspicious File Packer window: C:\windows\system32\ (enter whatever the new random setup_***.exe is) C:\windows\system32\i Allow SFP to pack the files. This will generate a CAB archive on your desktop. Next, please visit TheSpyKillers forum HERE Read the first topic for instructions on uploading files then start a new Topic, title the thread Files for AndyManchesta, post a link to this thread and upload the requested files.cab archive from your desktop. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by tetonbob; 04-07-2007 at 07:51 PM.

04-05-2007, 11:33 PM	#135 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Hmmm...duane.exe should have the HijackThis icon with it as Deckard's System Scanner automatically renames HijackThis and creates an icon on the desktop. Search your system for duane.exe and list any you find here for me, along with the date the file was created or modified. No, I don't think geeksquad is responsible for this at all. This infection has been known, albeit rarely, to infect legit OS files and hide within. I'm hoping it's one of those files that I missed that is bringing it back. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 04-05-2007 at 11:35 PM.

04-07-2007, 12:46 AM	#137 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet I was having issues trying to upload the cab file for the other site. All the sudden AVG went nuts, here are a few of the threats that came up. AVG Threat C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\KRMHM32V\zwvvfftt[1].htm Trojan horse proxy.MTR C:\lcpift.exe Trojan horse proxy.MTR C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\zwvvfftt[2].htm Trojan horse proxy.MTR C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\iblybil[1]htm Trojan horse proxy.MTR C:\xiuex.exe Trojan horse Downloader Generic 3ZIM

04-07-2007, 09:24 AM	#138 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Were you able to upload that .cab file to SpyKillers Forum? Did AVG quarantine or delete those files it alerted you to? If not, I'd like to try to find out more about them. Upload each of these, (one at a time) to to http://virusscan.jotti.org and report back what it found. At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\KRMHM32V\zwvvfftt[1].htm C:\lcpift.exe C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\iblybil[1]htm C:\xiuex.exe When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 04-07-2007 at 09:33 AM.

04-07-2007, 07:00 PM	#139 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet I will have to try later, the site took forever to upload, and when it did this is what it came up with, which is not correct. I can see these on the C drive using explorer and can open with Notepad, but the information does not mean anything to me. here is what came up in the uploads. C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\KRMHM32V\zwvvfftt[1].htm The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file C:\lcpift.exe The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file C:\Documents and Settings\localService\LocalSettings\Temporary Internet files\ContentIE5\YNCP89MT\iblybil[1]htm The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file They are application files and are at least 2 KB in size. They also have the same date and time stamp on them, 4/7/2007. I have not done anything with them when the AVG Threat Detected window pops up because you said not to, they would be dealt with later. Do you want them moved to the virus vault? Something else I noticed when I tried opening one of the potential trojan files using notepad, the wait window came up with rundll32.exe. I checked and there are 4 of those in the prefetch folder and they have the same modified date, 4/7/07. I am going to power down and back up and then try the last link you had for checking the files that AVG identified. Thanks, stumped in AZ. Last edited by cul8rman; 04-07-2007 at 07:23 PM.

04-07-2007, 07:28 PM	#140 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,836 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet You edited while I was replying. Load these 2 files to SpyKillers as well-- Paste the following list of filepaths into the Suspicious File Packer window: C:\lcpift.exe C:\xiuex.exe Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site --> http://www.thespykiller.co.uk/index.php?board=1.0 Please include a link to this topic in the message. After you upload those files to SpyKiller, don't let AVG fix them yet. Run a scan with SREng on Molly's account and post the log here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 04-07-2007 at 08:07 PM.