Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Google searches being redirected
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 02-22-2007, 04:35 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


Google searches being redirected
I am having a problem with searches on google being redirected to other sites. The redirect seems to go through 216.133.243.28. It only happens with searches. I also can't send email from interface online. I can send from outlook but not if I go to the actual site like yahoo mail. Don't really know how to explain it any better than that. Any help would be greatly appreciated.


The ComboScan is below. If you need anything else let me know.


Byron



ComboScan v20070221.16 run by Byron on 2007-02-22 at 17:25:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis (run as Byron.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:25:49 PM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Byron\My Documents\Tech Support\comboscan.exe
C:\Program Files\HijackThis\Byron.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alaweb.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.alaweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AlaWeb Internet Services
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 12.129.205.209 search.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mote.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: (no name) - {ED000712-05BF-4193-B0AA-2C992EB291A6} - C:\WINDOWS\system32\fgbofgb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [WebScan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alaweb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1170442429653
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170442419824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: lzxyepaw - C:\WINDOWS\SYSTEM32\fgbofgb.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - %1
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3R AgereSoftModem (Agere Systems Soft Modem) - C:\WINDOWS\system32\drivers\AGRSM.sys
3S basic2 - C:\WINDOWS\system32\drivers\HSF_BSC2.sys
1R Cdr4_xp - C:\WINDOWS\system32\drivers\cdr4_xp.sys
1R Cdralw2k - C:\WINDOWS\system32\drivers\cdralw2k.sys
1R cdudf_xp - C:\WINDOWS\system32\drivers\cdudf_xp.sys
3S dvd_2K - C:\WINDOWS\system32\drivers\Dvd_2k.sys
3R E100B (Intel(R) PRO Adapter Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
2R Fallback - C:\WINDOWS\system32\drivers\HSF_FALL.sys
2R Fsks - C:\WINDOWS\system32\drivers\HSF_FSKS.sys
0R fwcore - C:\WINDOWS\system32\drivers\fwcore.sys
3S HCF_MSFT - C:\WINDOWS\system32\drivers\HCF_MSFT.sys
3S HSFHWBS2 - C:\WINDOWS\system32\drivers\hsfbs2s2.sys
3S HSF_DP - C:\WINDOWS\system32\drivers\hsfdpsp2.sys
3S hsf_msft - C:\WINDOWS\system32\drivers\HSF_MSFT.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
2R K56 - C:\WINDOWS\system32\drivers\HSF_K56K.sys
0R lqwkkueq (Microsoft RPC API Helper) - C:\WINDOWS\system32\drivers\hdzxgjen.sys (not found)
2R MASPINT - C:\WINDOWS\system32\drivers\MASPINT.SYS
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3R mmc_2K - C:\WINDOWS\system32\drivers\Mmc_2k.sys
3R MODEMCSA (Unimodem Streaming Filter Device) - C:\WINDOWS\system32\drivers\MODEMCSA.sys
3S Mtlmnt5 - C:\WINDOWS\system32\drivers\mtlmnt5.sys
3S Mtlstrm - C:\WINDOWS\system32\drivers\mtlstrm.sys
3R MxlW2k - C:\WINDOWS\system32\drivers\MxlW2k.sys
3S NtMtlFax - C:\WINDOWS\system32\drivers\ntmtlfax.sys
3R nv - C:\WINDOWS\system32\drivers\nv4_mini.sys
1R OMCI - C:\WINDOWS\system32\drivers\omci.sys
3R P16X (Creative SB Live! Series (WDM)) - C:\WINDOWS\system32\drivers\P16X.sys
2R PfModNT - C:\WINDOWS\system32\PFMODNT.SYS
1R pwd_2k - C:\WINDOWS\system32\drivers\pwd_2K.sys
0R RecAgent - C:\WINDOWS\system32\drivers\recagent.sys
3S Rksample - C:\WINDOWS\system32\drivers\HSF_SAMP.sys
1S SbcpHid - C:\WINDOWS\system32\drivers\SbcpHid.sys
3S Slntamr (Smart Link 56K Modem Driver) - C:\WINDOWS\system32\drivers\slntamr.sys
3S SlNtHal - C:\WINDOWS\system32\drivers\slnthal.sys
3S SlWdmSup - C:\WINDOWS\system32\drivers\slwdmsup.sys
2R SoftFax - C:\WINDOWS\system32\drivers\HSF_FAXX.sys
2R SpeakerPhone - C:\WINDOWS\system32\drivers\HSF_SPKP.sys
2R Tones - C:\WINDOWS\system32\drivers\HSF_TONE.sys
1R UdfReadr_xp - C:\WINDOWS\system32\drivers\udfreadr_xp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
2R V124 - C:\WINDOWS\system32\drivers\HSF_V124.sys
3S winachsf - C:\WINDOWS\system32\drivers\hsfcxts2.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4S Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
3R ALG (Application Layer Gateway Service) - C:\WINDOWS\System32\alg.exe
3S AppMgmt (Application Management) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R AudioSrv (Windows Audio) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S BITS (Background Intelligent Transfer Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2S Browser (Computer Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S CiSvc (Indexing Service) - C:\WINDOWS\system32\cisvc.exe
4S ClipSrv (ClipBook) - C:\WINDOWS\system32\clipsrv.exe
3S COMSysApp (COM+ System Application) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2R Creative Service for CDROM Access - C:\WINDOWS\System32\CTsvcCDA.exe
2R CryptSvc (Cryptographic Services) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R DcomLaunch (DCOM Server Process Launcher) - C:\WINDOWS\system32\svchost -k DcomLaunch
2R Dhcp (DHCP Client) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S dmadmin (Logical Disk Manager Administrative Service) - C:\WINDOWS\System32\dmadmin.exe /com
3S dmserver (Logical Disk Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Dnscache (DNS Client) - C:\WINDOWS\System32\svchost.exe -k NetworkService
2R ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Eventlog (Event Log) - C:\WINDOWS\system32\services.exe
3R EventSystem (COM+ Event System) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R FastUserSwitchingCompatibility (Fast User Switching Compatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R FWService - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe -Service
2R helpsvc (Help and Support) - C:\WINDOWS\System32\svchost.exe -k netsvcs
4S HidServ (Human Interface Device Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S HTTPFilter (HTTP SSL) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
3S ImapiService (IMAPI CD-Burning COM Service) - C:\WINDOWS\System32\Imapi.exe
2R lanmanserver (Server) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R lanmanworkstation (Workstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R LmHosts (TCP/IP NetBIOS Helper) - C:\WINDOWS\System32\svchost.exe -k LocalService
4S Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S mnmsrvc (NetMeeting Remote Desktop Sharing) - C:\WINDOWS\System32\mnmsrvc.exe
3S MSDTC (Distributed Transaction Coordinator) - C:\WINDOWS\System32\msdtc.exe
3S MSIServer (Windows Installer) - C:\WINDOWS\system32\msiexec.exe /V
4S NetDDE (Network DDE) - C:\WINDOWS\system32\netdde.exe
4S NetDDEdsdm (Network DDE DSDM) - C:\WINDOWS\system32\netdde.exe
3S Netlogon (Net Logon) - C:\WINDOWS\System32\lsass.exe
3R Netman (Network Connections) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R Nla (Network Location Awareness (NLA)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S NtLmSsp (NT LM Security Support Provider) - C:\WINDOWS\System32\lsass.exe
3S NtmsSvc (Removable Storage) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R PlugPlay (Plug and Play) - C:\WINDOWS\system32\services.exe
2R PolicyAgent (IPSEC Services) - C:\WINDOWS\System32\lsass.exe
2R ProtectedStorage (Protected Storage) - C:\WINDOWS\system32\lsass.exe
3S RasAuto (Remote Access Auto Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R RasMan (Remote Access Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RDSessMgr (Remote Desktop Help Session Manager) - C:\WINDOWS\system32\sessmgr.exe
4S RemoteAccess (Routing and Remote Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RpcLocator (Remote Procedure Call (RPC) Locator) - C:\WINDOWS\System32\locator.exe
2R RpcSs (Remote Procedure Call (RPC)) - C:\WINDOWS\system32\svchost -k rpcss
3S RSVP (QoS RSVP) - C:\WINDOWS\System32\rsvp.exe
2R SamSs (Security Accounts Manager) - C:\WINDOWS\system32\lsass.exe
3S SCardSvr (Smart Card) - C:\WINDOWS\System32\SCardSvr.exe
2R Schedule (Task Scheduler) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R seclogon (Secondary Logon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SENS (System Event Notification) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R ShellHWDetection (Shell Hardware Detection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SLService (SmartLinkService) - slserv.exe
2R Spooler (Print Spooler) - C:\WINDOWS\system32\spoolsv.exe
2R srservice (System Restore Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R SSDPSRV (SSDP Discovery Service) - C:\WINDOWS\System32\svchost.exe -k LocalService
3R stisvc (Windows Image Acquisition (WIA)) - C:\WINDOWS\System32\svchost.exe -k imgsvc
3S SwPrv (MS Software Shadow Copy Provider) - C:\WINDOWS\System32\dllhost.exe /Processid:{44D932F2-9F4A-4C8C-AB75-991707832F89}
3S SysmonLog (Performance Logs and Alerts) - C:\WINDOWS\system32\smlogsvc.exe
3R TapiSrv (Telephony) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R TermService (Terminal Services) - C:\WINDOWS\System32\svchost -k DComLaunch
2R Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R TrkWks (Distributed Link Tracking Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S upnphost (Universal Plug and Play Device Host) - C:\WINDOWS\System32\svchost.exe -k LocalService
3S UPS (Uninterruptible Power Supply) - C:\WINDOWS\System32\ups.exe
3S VSS (Volume Shadow Copy) - C:\WINDOWS\System32\vssvc.exe
2R W32Time (Windows Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
2R winmgmt (Windows Management Instrumentation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WMDM PMSP Service - C:\WINDOWS\System32\MsPMSPSv.exe
3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S WmiApSrv (WMI Performance Adapter) - C:\WINDOWS\System32\wbem\wmiapsrv.exe
2R wscsvc (Security Center) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R wuauserv (Automatic Updates) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WZCSVC (Wireless Zero Configuration) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S xmlprov (Network Provisioning Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Files created between 2007-01-22 and 2007-02-22 ------------------------------

2007-02-22 16:57:59 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-22 13:19:14 0 d-------- C:\Documents and Settings\Byron\Application Data\Lavasoft
2007-02-22 13:17:35 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1>
2007-02-22 13:12:25 21312 --a------ C:\WINDOWS\choice.exe
2007-02-22 13:10:53 0 d-------- C:\ie-spyad
2007-02-22 1346 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-22 13:04:04 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-22 12:31:16 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-02-22 12:26:24 0 d-------- C:\Program Files\Lavasoft
2007-02-22 12:25:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-15 09:22:26 38912 --a------ C:\WINDOWS\system32\mfifirtf.dll
2007-02-15 09:22:25 112128 --a------ C:\WINDOWS\system32\lgysgcvc.dll
2007-02-15 08:50:58 74240 --a------ C:\WINDOWS\system32\fgbofgb.dll
2007-02-15 08:50:54 154624 --a------ C:\WINDOWS\system32\gqebeaaa.exe
2007-02-15 08:50:48 16384 --a------ C:\WINDOWS\system32\dtuwaaaa.exe
2007-02-15 08:50:48 10240 --a------ C:\WINDOWS\system\bplctw32.dll
2007-02-15 08:50:42 1046 --a------ C:\WINDOWS\system32\gngddbtm.exe
2007-02-15 08:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-02-15 08:16:13 0 d-------- C:\WINDOWS\Downloaded Installations<DOWNLO~2>
2007-02-02 12:57:48 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-02-02 12:54:27 18200 --a------ C:\WINDOWS\system32\wups2.dll


-- Find3M Report ----------------------------------------------------------------

2007-02-22 17:13:13 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-22 17:11:24 0 d-------- C:\Program Files\FinePixViewer<FINEPI~1>
2007-02-22 17:10:53 0 d-------- C:\Program Files\Common Files\eAcceleration<EACCEL~1>
2007-02-20 20:36:46 0 d---s---- C:\Documents and Settings\Byron\Application Data\Microsoft<MICROS~1>
2007-02-15 08:42:22 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-15 08:17:14 6 --a------ C:\Documents and Settings\Byron\Application Data\dm.ini
2007-02-15 08:17:14 1547 --a------ C:\Documents and Settings\Byron\Application Data\AdobeDLM.log
2007-02-15 08:16:58 0 d-------- C:\Documents and Settings\Byron\Application Data\Adobe


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WebScan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"
"eanth_system_patcher"="\"C:\\Program Files\\Acceleration Software\\SystemPatcher\\sys_alert.exe\" /Startup"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"StopSignSsTsMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\Anti-Virus\\sstsmon.dll\",VerifyStatus"
"StopSignSsFwMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\StopSignProducts\\Firewall\\ssfwmon.dll\",VerifyStatus"
"SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup"
"AGRSMMSG"="AGRSMMSG.exe"
"OnAccess"="\"C:\\Program Files\\eAcceleration\\OnAccess\\OnAccess.exe\" -e"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}"="eAcceleration OnAccess"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzxyepaw

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-02-22 at 17:26:12 -------------------------
Attached Files
File Type: txt Supplementary.txt (9.8 KB, 0 views)
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-26-2007, 06:35 AM   #2 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


Bump!
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-02-2007, 06:12 AM   #3 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


When someone finally gets to my problem I'll probably need to run ComboScan again since it's been over a week since the log above. Another problem I'm having is my CD drive does not recognize any discs.
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2007, 03:08 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


Sorry for the delay but we're a bit short handed at the moment. It's been sometime since the last log was posted. If you still require assistance, please post a fresh log.

I'm subscribed to this thread & would be notified of your reply.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 06:57 AM   #5 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


I ran ComboScan again but it is not creating the supplemetary file this time. It looks like the main log is also shorter. I don't know if this is normal or not but I ran it twice and this is all it did. I also have two .exe files that have appeared on my computer. Update.exe has appeared on my desktop and x.exe appeared on the C drive but it looks like it is gone now(?).Thanks in advance for any help you provide and don't worry about the delay, I know you stay busy with everything.



ComboScan v20070221.16 run by Byron on 2007-03-09 at 07:47:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Byron.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:47:47 AM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Documents and Settings\Byron\Desktop\comboscan.exe
C:\Program Files\HijackThis\Byron.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alaweb.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.alaweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AlaWeb Internet Services
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 12.129.205.209 search.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll (file missing)
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mote.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
O2 - BHO: (no name) - {ED000712-05BF-4193-B0AA-2C992EB291A6} - C:\WINDOWS\system32\fgbofgb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [WebScan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alaweb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1170442429653
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170442419824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: lzxyepaw - C:\WINDOWS\SYSTEM32\fgbofgb.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe


-- Files created between 2007-02-09 and 2007-03-09 ------------------------------

2007-02-26 21:10:03 29852 --a------ C:\WINDOWS\awbtby.exe
2007-02-22 16:57:59 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-22 13:19:14 0 d-------- C:\Documents and Settings\Byron\Application Data\Lavasoft
2007-02-22 13:17:35 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1>
2007-02-22 13:12:25 21312 --a------ C:\WINDOWS\choice.exe
2007-02-22 13:10:53 0 d-------- C:\ie-spyad
2007-02-22 1346 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-22 13:04:04 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-22 12:31:16 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-02-22 12:26:24 0 d-------- C:\Program Files\Lavasoft
2007-02-22 12:25:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-15 09:22:26 38912 --a------ C:\WINDOWS\system32\mfifirtf.dll
2007-02-15 09:22:25 111616 --a------ C:\WINDOWS\system32\lgysgcvc.dll
2007-02-15 08:50:58 76800 --a------ C:\WINDOWS\system32\fgbofgb.dll
2007-02-15 08:50:54 154624 --a------ C:\WINDOWS\system32\gqebeaaa.exe
2007-02-15 08:50:48 16384 --a------ C:\WINDOWS\system32\dtuwaaaa.exe
2007-02-15 08:50:42 1046 --a------ C:\WINDOWS\system32\gngddbtm.exe
2007-02-15 08:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-02-15 08:16:13 0 d-------- C:\WINDOWS\Downloaded Installations<DOWNLO~2>


-- Find3M Report ----------------------------------------------------------------

2007-03-07 07:39:14 0 d-------- C:\Documents and Settings\Byron\Application Data\eAcceleration<EACCEL~1>
2007-02-22 17:13:13 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-22 17:11:24 0 d-------- C:\Program Files\FinePixViewer<FINEPI~1>
2007-02-22 17:10:53 0 d-------- C:\Program Files\Common Files\eAcceleration<EACCEL~1>
2007-02-20 20:36:46 0 d---s---- C:\Documents and Settings\Byron\Application Data\Microsoft<MICROS~1>
2007-02-15 08:42:22 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-15 08:17:14 6 --a------ C:\Documents and Settings\Byron\Application Data\dm.ini
2007-02-15 08:17:14 1547 --a------ C:\Documents and Settings\Byron\Application Data\AdobeDLM.log
2007-02-15 08:16:58 0 d-------- C:\Documents and Settings\Byron\Application Data\Adobe


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WebScan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"
"eanth_system_patcher"="\"C:\\Program Files\\Acceleration Software\\SystemPatcher\\sys_alert.exe\" /Startup"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"StopSignSsTsMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\Anti-Virus\\sstsmon.dll\",VerifyStatus"
"StopSignSsFwMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\StopSignProducts\\Firewall\\ssfwmon.dll\",VerifyStatus"
"SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup"
"AGRSMMSG"="AGRSMMSG.exe"
"OnAccess"="\"C:\\Program Files\\eAcceleration\\OnAccess\\OnAccess.exe\" -e"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}"="eAcceleration OnAccess"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"="C:\\WINDOWS\\csrss.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzxyepaw

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-03-09 at 07:48:04 -------------------------
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 07:03 AM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,530
OS: WinXP and Vista


Hello Byron_T,

You have one of the newest variations of an infection and we need as much information as we can get. Please do the following to produce a full ComboScan run:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\comboscan.exe" /config
A box will pop up. There should already be a check mark next to 'ComboScan Log' and a few categories below that. Place a 'check' next to everything under the ComboScan Log category.

'Check' the SupplementaryLog Category
In the list below it, 'check' Add/Remove programs

Click Scan!

When finished, it shall produce a log for you. Post that log in your next reply.

-------------------------------------------------------

Please run the following tool as well:

Please download SREng.

**You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through.

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it.

You may have to rename SREngLOG.log to SREngLOG.txt to upload it.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 07:36 AM   #7 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


Here is what you asked for.


ComboScan v20070221.16 run by Byron on 2007-03-09 at 08:21:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis (run as Byron.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:21:51 AM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Documents and Settings\Byron\desktop\comboscan.exe
C:\Program Files\HijackThis\Byron.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alaweb.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.alaweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AlaWeb Internet Services
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 12.129.205.209 search.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll (file missing)
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mote.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
O2 - BHO: (no name) - {ED000712-05BF-4193-B0AA-2C992EB291A6} - C:\WINDOWS\system32\fgbofgb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [WebScan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alaweb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1170442429653
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170442419824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: lzxyepaw - C:\WINDOWS\SYSTEM32\fgbofgb.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - %1
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3R AgereSoftModem (Agere Systems Soft Modem) - C:\WINDOWS\system32\drivers\AGRSM.sys
3S basic2 - C:\WINDOWS\system32\drivers\HSF_BSC2.sys
1R Cdr4_xp - C:\WINDOWS\system32\drivers\cdr4_xp.sys
1R Cdralw2k - C:\WINDOWS\system32\drivers\cdralw2k.sys
1R cdudf_xp - C:\WINDOWS\system32\drivers\cdudf_xp.sys
3S dvd_2K - C:\WINDOWS\system32\drivers\Dvd_2k.sys
3R E100B (Intel(R) PRO Adapter Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
2R Fallback - C:\WINDOWS\system32\drivers\HSF_FALL.sys
2R Fsks - C:\WINDOWS\system32\drivers\HSF_FSKS.sys
0R fwcore - C:\WINDOWS\system32\drivers\fwcore.sys
3S HCF_MSFT - C:\WINDOWS\system32\drivers\HCF_MSFT.sys
3S HSFHWBS2 - C:\WINDOWS\system32\drivers\hsfbs2s2.sys
3S HSF_DP - C:\WINDOWS\system32\drivers\hsfdpsp2.sys
3S hsf_msft - C:\WINDOWS\system32\drivers\HSF_MSFT.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
2R K56 - C:\WINDOWS\system32\drivers\HSF_K56K.sys
0R lqwkkueq (Microsoft RPC API Helper) - C:\WINDOWS\system32\drivers\hdzxgjen.sys (not found)
2R MASPINT - C:\WINDOWS\system32\drivers\MASPINT.SYS
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3R mmc_2K - C:\WINDOWS\system32\drivers\Mmc_2k.sys
3R MODEMCSA (Unimodem Streaming Filter Device) - C:\WINDOWS\system32\drivers\MODEMCSA.sys
3S Mtlmnt5 - C:\WINDOWS\system32\drivers\mtlmnt5.sys
3S Mtlstrm - C:\WINDOWS\system32\drivers\mtlstrm.sys
3R MxlW2k - C:\WINDOWS\system32\drivers\MxlW2k.sys
3S NtMtlFax - C:\WINDOWS\system32\drivers\ntmtlfax.sys
3R nv - C:\WINDOWS\system32\drivers\nv4_mini.sys
1R OMCI - C:\WINDOWS\system32\drivers\omci.sys
3R P16X (Creative SB Live! Series (WDM)) - C:\WINDOWS\system32\drivers\P16X.sys
2R PfModNT - C:\WINDOWS\system32\PFMODNT.SYS
1R pwd_2k - C:\WINDOWS\system32\drivers\pwd_2K.sys
0R RecAgent - C:\WINDOWS\system32\drivers\recagent.sys
3S Rksample - C:\WINDOWS\system32\drivers\HSF_SAMP.sys
1S SbcpHid - C:\WINDOWS\system32\drivers\SbcpHid.sys
3S Slntamr (Smart Link 56K Modem Driver) - C:\WINDOWS\system32\drivers\slntamr.sys
3S SlNtHal - C:\WINDOWS\system32\drivers\slnthal.sys
3S SlWdmSup - C:\WINDOWS\system32\drivers\slwdmsup.sys
2R SoftFax - C:\WINDOWS\system32\drivers\HSF_FAXX.sys
2R SpeakerPhone - C:\WINDOWS\system32\drivers\HSF_SPKP.sys
2R Tones - C:\WINDOWS\system32\drivers\HSF_TONE.sys
1R UdfReadr_xp - C:\WINDOWS\system32\drivers\udfreadr_xp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
2R V124 - C:\WINDOWS\system32\drivers\HSF_V124.sys
3S winachsf - C:\WINDOWS\system32\drivers\hsfcxts2.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4S Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
3R ALG (Application Layer Gateway Service) - C:\WINDOWS\System32\alg.exe
3S AppMgmt (Application Management) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R AudioSrv (Windows Audio) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R BITS (Background Intelligent Transfer Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2S Browser (Computer Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S CiSvc (Indexing Service) - C:\WINDOWS\system32\cisvc.exe
4S ClipSrv (ClipBook) - C:\WINDOWS\system32\clipsrv.exe
3S COMSysApp (COM+ System Application) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2R Creative Service for CDROM Access - C:\WINDOWS\System32\CTsvcCDA.exe
2R CryptSvc (Cryptographic Services) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R DcomLaunch (DCOM Server Process Launcher) - C:\WINDOWS\system32\svchost -k DcomLaunch
2R Dhcp (DHCP Client) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S dmadmin (Logical Disk Manager Administrative Service) - C:\WINDOWS\System32\dmadmin.exe /com
3S dmserver (Logical Disk Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Dnscache (DNS Client) - C:\WINDOWS\System32\svchost.exe -k NetworkService
2R ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Eventlog (Event Log) - C:\WINDOWS\system32\services.exe
3R EventSystem (COM+ Event System) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R FastUserSwitchingCompatibility (Fast User Switching Compatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R FWService - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe -Service
2R helpsvc (Help and Support) - C:\WINDOWS\System32\svchost.exe -k netsvcs
4S HidServ (Human Interface Device Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S HTTPFilter (HTTP SSL) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
3S ImapiService (IMAPI CD-Burning COM Service) - C:\WINDOWS\System32\Imapi.exe
2R lanmanserver (Server) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R lanmanworkstation (Workstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R LmHosts (TCP/IP NetBIOS Helper) - C:\WINDOWS\System32\svchost.exe -k LocalService
4S Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S mnmsrvc (NetMeeting Remote Desktop Sharing) - C:\WINDOWS\System32\mnmsrvc.exe
3S MSDTC (Distributed Transaction Coordinator) - C:\WINDOWS\System32\msdtc.exe
3S MSIServer (Windows Installer) - C:\WINDOWS\system32\msiexec.exe /V
4S NetDDE (Network DDE) - C:\WINDOWS\system32\netdde.exe
4S NetDDEdsdm (Network DDE DSDM) - C:\WINDOWS\system32\netdde.exe
3S Netlogon (Net Logon) - C:\WINDOWS\System32\lsass.exe
3R Netman (Network Connections) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R Nla (Network Location Awareness (NLA)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S NtLmSsp (NT LM Security Support Provider) - C:\WINDOWS\System32\lsass.exe
3S NtmsSvc (Removable Storage) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R PlugPlay (Plug and Play) - C:\WINDOWS\system32\services.exe
2R PolicyAgent (IPSEC Services) - C:\WINDOWS\System32\lsass.exe
2R ProtectedStorage (Protected Storage) - C:\WINDOWS\system32\lsass.exe
3S RasAuto (Remote Access Auto Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R RasMan (Remote Access Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RDSessMgr (Remote Desktop Help Session Manager) - C:\WINDOWS\system32\sessmgr.exe
4S RemoteAccess (Routing and Remote Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RpcLocator (Remote Procedure Call (RPC) Locator) - C:\WINDOWS\System32\locator.exe
2R RpcSs (Remote Procedure Call (RPC)) - C:\WINDOWS\system32\svchost -k rpcss
3S RSVP (QoS RSVP) - C:\WINDOWS\System32\rsvp.exe
2R SamSs (Security Accounts Manager) - C:\WINDOWS\system32\lsass.exe
3S SCardSvr (Smart Card) - C:\WINDOWS\System32\SCardSvr.exe
2R Schedule (Task Scheduler) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R seclogon (Secondary Logon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SENS (System Event Notification) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R ShellHWDetection (Shell Hardware Detection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SLService (SmartLinkService) - slserv.exe
2R Spooler (Print Spooler) - C:\WINDOWS\system32\spoolsv.exe
2R srservice (System Restore Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R SSDPSRV (SSDP Discovery Service) - C:\WINDOWS\System32\svchost.exe -k LocalService
3R stisvc (Windows Image Acquisition (WIA)) - C:\WINDOWS\System32\svchost.exe -k imgsvc
3S SwPrv (MS Software Shadow Copy Provider) - C:\WINDOWS\System32\dllhost.exe /Processid:{44D932F2-9F4A-4C8C-AB75-991707832F89}
3S SysmonLog (Performance Logs and Alerts) - C:\WINDOWS\system32\smlogsvc.exe
3R TapiSrv (Telephony) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R TermService (Terminal Services) - C:\WINDOWS\System32\svchost -k DComLaunch
2R Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R TrkWks (Distributed Link Tracking Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S upnphost (Universal Plug and Play Device Host) - C:\WINDOWS\System32\svchost.exe -k LocalService
3S UPS (Uninterruptible Power Supply) - C:\WINDOWS\System32\ups.exe
3S VSS (Volume Shadow Copy) - C:\WINDOWS\System32\vssvc.exe
2R W32Time (Windows Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
2R winmgmt (Windows Management Instrumentation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WMDM PMSP Service - C:\WINDOWS\System32\MsPMSPSv.exe
3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S WmiApSrv (WMI Performance Adapter) - C:\WINDOWS\System32\wbem\wmiapsrv.exe
2R wscsvc (Security Center) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R wuauserv (Automatic Updates) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WZCSVC (Wireless Zero Configuration) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S xmlprov (Network Provisioning Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Files created between 2007-02-09 and 2007-03-09 ------------------------------

2007-02-26 21:10:03 29852 --a------ C:\WINDOWS\awbtby.exe
2007-02-22 16:57:59 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-22 13:19:14 0 d-------- C:\Documents and Settings\Byron\Application Data\Lavasoft
2007-02-22 13:17:35 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1>
2007-02-22 13:12:25 21312 --a------ C:\WINDOWS\choice.exe
2007-02-22 13:10:53 0 d-------- C:\ie-spyad
2007-02-22 1346 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-22 13:04:04 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-22 12:31:16 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-02-22 12:26:24 0 d-------- C:\Program Files\Lavasoft
2007-02-22 12:25:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-15 09:22:26 38912 --a------ C:\WINDOWS\system32\mfifirtf.dll
2007-02-15 09:22:25 111616 --a------ C:\WINDOWS\system32\lgysgcvc.dll
2007-02-15 08:50:58 76800 --a------ C:\WINDOWS\system32\fgbofgb.dll
2007-02-15 08:50:54 154624 --a------ C:\WINDOWS\system32\gqebeaaa.exe
2007-02-15 08:50:48 16384 --a------ C:\WINDOWS\system32\dtuwaaaa.exe
2007-02-15 08:50:42 1046 --a------ C:\WINDOWS\system32\gngddbtm.exe
2007-02-15 08:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-02-15 08:16:13 0 d-------- C:\WINDOWS\Downloaded Installations<DOWNLO~2>


-- Find3M Report ----------------------------------------------------------------

2007-03-07 07:39:14 0 d-------- C:\Documents and Settings\Byron\Application Data\eAcceleration<EACCEL~1>
2007-02-22 17:13:13 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-22 17:11:24 0 d-------- C:\Program Files\FinePixViewer<FINEPI~1>
2007-02-22 17:10:53 0 d-------- C:\Program Files\Common Files\eAcceleration<EACCEL~1>
2007-02-20 20:36:46 0 d---s---- C:\Documents and Settings\Byron\Application Data\Microsoft<MICROS~1>
2007-02-15 08:42:22 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-15 08:17:14 6 --a------ C:\Documents and Settings\Byron\Application Data\dm.ini
2007-02-15 08:17:14 1547 --a------ C:\Documents and Settings\Byron\Application Data\AdobeDLM.log
2007-02-15 08:16:58 0 d-------- C:\Documents and Settings\Byron\Application Data\Adobe


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WebScan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"
"eanth_system_patcher"="\"C:\\Program Files\\Acceleration Software\\SystemPatcher\\sys_alert.exe\" /Startup"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"StopSignSsTsMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\Anti-Virus\\sstsmon.dll\",VerifyStatus"
"StopSignSsFwMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\StopSignProducts\\Firewall\\ssfwmon.dll\",VerifyStatus"
"SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup"
"AGRSMMSG"="AGRSMMSG.exe"
"OnAccess"="\"C:\\Program Files\\eAcceleration\\OnAccess\\OnAccess.exe\" -e"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}"="eAcceleration OnAccess"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"="C:\\WINDOWS\\csrss.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzxyepaw

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-03-09 at 08:22:10 -------------------------
Attached Files
File Type: txt Supplementary.txt (7.9 KB, 0 views)
File Type: txt SREngLOG.txt (20.6 KB, 6 views)
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 08:04 AM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,530
OS: WinXP and Vista


Thank you. Please give us time to review these logs and determine a course of action.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:22 AM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


Alright Byron, here's what we shall do ....


Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry


---------------


1. Download this file -> ComboFix.exe
** Disconnect from the internet once the download has finished

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh SRENG log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:25 AM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


In your next reply, please tell me how long you have had StopSign as your security provider. If it's not too much trouble, please share with us your impression of the product
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:28 AM   #11 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


You may delete these files after ComboFix has finished running:

C:\WINDOWS\awbtby.exe
C:\WINDOWS\system32\mfifirtf.dll
C:\WINDOWS\system32\gqebeaaa.exe
C:\WINDOWS\system32\dtuwaaaa.exe
C:\WINDOWS\system32\gngddbtm.exe
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:38 AM   #12 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


I did the registry fix and then downloaded ComboFix. During the scan the computer shut down Windows and a blue screen came up that said something about shutting down Windows to protect my computer. Don't remember everything it had but I had to restart the computer to get going again.

As far as StopSign goes I've had it for a little over a year and this is the first time anything has gotten through it. It updates regularly and I have not had any problems with it.
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:39 AM   #13 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


I can try and run ComboFix again but I wanted to check here before I did anything else.
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:43 AM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


Please try once more.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 12:08 PM   #15 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


Here is the ComboFix log. It shut down windows again and I had to reboot but when the system booted back up ComboFix finished and gave me this log. I also ran SRENG again and attached the log. I have also attached two pictures to show you what the computer did while running ComboFix. The first picture shows what it said when it first shut down. The second picture is where it froze while it was rebooting the first time. On the second reboot it started up and finished the ComboFix log. Don't really know what all this means.


"Byron" - 07-03-09 12:45:33 Service Pack 2
ComboFix 07-03-09.3 - Running from: "C:\Documents and Settings\Byron\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\hdzxgjen.sys
C:\WINDOWS\system32\fgbofgb.dll
C:\WINDOWS\system32\fgbofgb.dll


((((((((((((((((((((((((((((((( Files Created from 2007-02-09 to 2007-03-09 ))))))))))))))))))))))))))))))))))


2007-03-09 12:47 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-26 21:10 29,852 --a------ C:\WINDOWS\awbtby.exe
2007-02-22 13:19 <DIR> d-------- C:\DOCUME~1\Byron\APPLIC~1\Lavasoft
2007-02-22 13:17 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-02-22 13:12 21,312 --a------ C:\WINDOWS\choice.exe
2007-02-22 13:10 <DIR> d-------- C:\ie-spyad
2007-02-22 13:06 <DIR> d-------- C:\Program Files\SpywareGuard
2007-02-22 13:04 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-02-22 12:31 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-02-22 12:26 <DIR> d-------- C:\Program Files\Lavasoft
2007-02-22 12:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-15 09:22 38,912 --a------ C:\WINDOWS\system32\mfifirtf.dll
2007-02-15 09:22 111,616 --a------ C:\WINDOWS\system32\lgysgcvc.dll
2007-02-15 08:50 16,384 --a------ C:\WINDOWS\system32\dtuwaaaa.exe
2007-02-15 08:50 154,624 --a------ C:\WINDOWS\system32\gqebeaaa.exe
2007-02-15 08:50 1,046 --a------ C:\WINDOWS\system32\gngddbtm.exe
2007-02-15 08:16 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-02-15 08:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-07 07:39 -------- d-------- C:\DOCUME~1\Byron\APPLIC~1\eacceleration
2007-02-22 17:13 -------- d-------- C:\Program Files\messenger
2007-02-22 17:11 -------- d-------- C:\Program Files\finepixviewer
2007-02-22 17:10 -------- d-------- C:\Program Files\Common Files\eacceleration
2007-02-20 20:36 -------- d---s---- C:\DOCUME~1\Byron\APPLIC~1\microsoft
2007-02-15 08:42 -------- d-------- C:\Program Files\Common Files\adobe
2007-02-15 08:17 6 --a------ C:\DOCUME~1\Byron\APPLIC~1\dm.ini
2007-02-15 08:17 1547 --a------ C:\DOCUME~1\Byron\APPLIC~1\adobedlm.log
2007-02-15 08:16 -------- d-------- C:\DOCUME~1\Byron\APPLIC~1\adobe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WebScan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"
"eanth_system_patcher"="\"C:\\Program Files\\Acceleration Software\\SystemPatcher\\sys_alert.exe\" /Startup"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"StopSignSsTsMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\Anti-Virus\\sstsmon.dll\",VerifyStatus"
"StopSignSsFwMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\StopSignProducts\\Firewall\\ssfwmon.dll\",VerifyStatus"
"SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup"
"AGRSMMSG"="AGRSMMSG.exe"
"OnAccess"="\"C:\\Program Files\\eAcceleration\\OnAccess\\OnAccess.exe\" -e"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}"="eAcceleration OnAccess"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-09 12:53:42
Attached Images
File Type: jpg DSCF0117.JPG (319.5 KB, 10 views)
File Type: jpg DSCF0120.JPG (327.0 KB, 8 views)
Attached Files
File Type: txt SREngLOG.txt (20.0 KB, 1 views)
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 12:14 PM   #16 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


Quote:
Originally Posted by sUBs View Post
You may delete these files after ComboFix has finished running:

C:\WINDOWS\awbtby.exe
C:\WINDOWS\system32\mfifirtf.dll
C:\WINDOWS\system32\gqebeaaa.exe
C:\WINDOWS\system32\dtuwaaaa.exe
C:\WINDOWS\system32\gngddbtm.exe
I also deleted these files after I ran ComboFix.
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 12:14 PM   #17 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


Byron, did you encounter any difficulties deleting these files:

C:\WINDOWS\awbtby.exe
C:\WINDOWS\system32\mfifirtf.dll
C:\WINDOWS\system32\lgysgcvc.dll
C:\WINDOWS\system32\dtuwaaaa.exe
C:\WINDOWS\system32\gqebeaaa.exe
C:\WINDOWS\system32\gngddbtm.exe

Please tell me how the machine is behaving now. Is it not as sluggish as before?
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 12:18 PM   #18 (permalink)
Registered User
 
Join Date: Feb 2007
Location: Andalusia, AL
Posts: 15
OS: Windows XP


I just found each file and deleted them. It does seem to be running a little better now. I just deleted C:\WINDOWS\system32\lgysgcvc.dll now because it was not in the original list.
Byron_T is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 12:20 PM   #19 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


Oops, just realised that C:\WINDOWS\system32\lgysgcvc.dll is a new one. Please delete that as well.


---------------


Then perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


Whilst you're waiting for the Kaspersky scan to finish, you may want to take a read about StopSign here
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 12:27 PM   #20 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,322
OS: N/A


This next bit can be performed anytime. Even during the Kaspersky Scan.

Sorry if my replies appear convulated. I don't like to keep people waiting. The short replies helps keep the momentum going & hopefully, makes it less of a hassle for you.


-----------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 12.129.205.209 search.netscape.com
O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll (file missing)
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mote.dll (file missing)


After that, post a fresh HJT log so that we may verify that it's clean
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:50 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85