Random IE7 windows opening

boyster70 · 12-02-2007, 12:07 PM

Here is when it happens and what happens. Every time I open IE7, or I open a new tab in IE7, or at a random time interval with IE7 open, a new IE7 window opens. I have noticed that there is and pattern to the web sites.

I have Free AVG Anti-virus and Free AVG Anti-Spyware installed and running. I also ran the AVG-Rootkit. All three installed after getting what ever I got. I have run all three programs until they come back clean with no change in IE7.

I have also run Kaspersky online scanner and removed a bunch of files tagged as infected.

I also created a new user to verify that it was not a corrupt user profile. It is not, both profiles have the same issue.

I followed the 5 steps and here is the log file from Deckard’s System Scan. Plus I have the Panda scan file if needed.

I would like to thank you in advance for your help and your time. It is greatly appreciated.

Thanks, again.

Boyster70

Deckard's System Scanner v20071014.68
Run by Titan on 2007-12-02 01:29:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
36: 2007-12-02 09:30:06 UTC - RP94 - Deckard's System Scanner Restore Point
35: 2007-12-02 09:25:23 UTC - RP93 - Software Distribution Service 3.0
34: 2007-12-02 08:19:17 UTC - RP92 - Software Distribution Service 3.0
33: 2007-12-02 07:52:37 UTC - RP91 - Software Distribution Service 3.0
32: 2007-12-01 23:48:15 UTC - RP90 - System Checkpoint

-- First Restore Point --
1: 2007-09-05 18:24:49 UTC - RP59 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).

-- HijackThis (run as Titan.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-02 01:30:56
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\my computer friend\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nyufinfh.exe /service
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6017 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Titan\MYDOCU~1\backups\) --------------

backup-20070715-161046-100 O2 - BHO: (no name) - {C595E361-ACB1-403B-911E-165DC0D2232A} - C:\WINDOWS\system32\geefd.dll (file missing)
backup-20070715-161046-142 O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxywu.dll
backup-20070715-161046-491 O2 - BHO: (no name) - {E47B3B73-98AE-4AF2-AAB6-7C5DBF88F5AE} - C:\Program Files\NetMeeting\mezojekis83122.dll
backup-20070715-161047-282 O20 - Winlogon Notify: byxxywu - C:\WINDOWS\SYSTEM32\byxxywu.dll
backup-20070715-161047-306 O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
backup-20070715-161047-457 O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinrndt.exe
backup-20070715-161052-187 O20 - Winlogon Notify: geefd - C:\WINDOWS\system32\geefd.dll (file missing)
backup-20070715-161055-701 O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nfnpakc.exe (file missing)
backup-20070715-162252-210 O20 - Winlogon Notify: byxxywu - C:\WINDOWS\SYSTEM32\byxxywu.dll
backup-20070715-162252-221 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinrndt.exe SKY009
backup-20070715-162252-396 O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinrndt.exe
backup-20070715-162252-865 O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxywu.dll
backup-20071201-161230-114 O2 - BHO: (no name) - {CCB789C3-2FDF-415F-9827-17D55A1B8714} - C:\WINDOWS\system32\pmnkk.dll (file missing)
backup-20071201-161230-324 O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\byxxywu.dll (file missing)
backup-20071201-161230-334 O2 - BHO: (no name) - {9C405BD7-2FD7-4CA6-B732-53774D045530} - C:\WINDOWS\system32\khffc.dll (file missing)
backup-20071201-161230-474 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20071201-161230-509 O2 - BHO: 0 - {CFAEF611-3B70-41B3-5AB4-7060AF691B05} - C:\Program Files\Internet Explorer\qulac236.dll (file missing)
backup-20071201-161230-824 O2 - BHO: (no name) - {3CB3E5E7-92A9-4764-BCA0-9F726F1ED17E} - C:\WINDOWS\system32\yabbb.dll (file missing)
backup-20071201-161231-785 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20071201-161232-569 O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll (file missing)
backup-20071201-161232-762 O20 - Winlogon Notify: yabbb - C:\WINDOWS\system32\yabbb.dll (file missing)
backup-20071201-161232-808 O20 - Winlogon Notify: khffc - C:\WINDOWS\system32\khffc.dll (file missing)
backup-20071201-161232-904 O20 - Winlogon Notify: byxxywu - byxxywu.dll (file missing)
backup-20071201-161355-174 O2 - BHO: {75a062a6-181f-24b8-8474-897170201fb0} - {0bf10207-1798-4748-8b42-f1816a260a57} - C:\WINDOWS\system32\ihjssobs.dll (file missing)
backup-20071201-190858-183 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20071201-190859-793 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 core - c:\windows\system32\drivers\core.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S4 DomainService - c:\windows\system32\nyufinfh.exe /service (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2007-11-02 and 2007-12-02 -----------------------------

2007-12-02 01:25:42 0 d-------- C:\Program Files\CONEXANT
2007-12-02 01:25:38 0 d-------- C:\WINDOWS\LastGood
2007-12-02 00:26:41 0 d-------- C:\Program Files\MSXML 6.0
2007-12-01 23:35:23 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-12-01 23:29:36 0 d-------- C:\ie-spyad_zo
2007-12-01 22:16:21 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-01 20:04:17 0 d-------- C:\Documents and Settings\Titan\Application Data\Grisoft
2007-11-28 06:38:11 0 dr-h----- C:\$VAULT$.AVG
2007-11-27 23:37:15 0 d-------- C:\Documents and Settings\Titan\Application Data\AVG7
2007-11-27 23:36:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 23:34:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 23:34:57 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 23:30:10 0 d-------- C:\my computer friend
2007-11-27 21:20:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-27 21:20:41 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-20 23:59:29 0 d-------- C:\Program Files\Temporary
2007-11-20 23:46:43 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-11-20 23:41:24 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-20 23:26:18 0 d-------- C:\Documents and Settings\Titan\Incomplete
2007-11-20 23:24:23 0 d-------- C:\Documents and Settings\Titan\Application Data\LimeWire
2007-11-20 23:23:18 0 d-------- C:\Program Files\LimeWire
2007-11-20 17:43:03 164 --a------ C:\install.dat
2007-11-14 15:03:06 442685 ---hs---- C:\WINDOWS\system32\kknmp.ini2

-- Find3M Report ---------------------------------------------------------------

2007-12-01 22:54:23 0 d-------- C:\Program Files\Messenger
2007-12-01 22:53:20 0 d-------- C:\Program Files\iTunes
2007-12-01 13:08:12 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-30 05:59:36 8313 --a------ C:\WINDOWS\system32\nvModes.dat
2007-11-29 10:16:25 0 d-------- C:\Program Files\ISM
2007-11-28 07:04:10 0 d-------- C:\Program Files\Common Files
2007-11-27 23:25:01 440688 --ahs---- C:\WINDOWS\system32\kknmp.bak2
2007-11-21 14:29:09 440679 --ahs---- C:\WINDOWS\system32\kknmp.bak1

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [06/24/2003 04:32 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/27/2007 11:35 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 3:21:22 AM]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [5/17/2006 3:05:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"WebClient"=2 (0x2)
"DomainService"=2 (0x2)
"CryptSvc"=3 (0x3)

*Newly Created Service* - MDMXSDK

-- End of Deckard's System Scanner: finished at 2007-12-02 01:32:34 ------------

**TheBruce1** · 12-05-2007, 06:56 AM

Hello boyster70 and welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

===============================================================

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone.

================================================================

Download ComboFix from Here or here

**Save it to your desktop**Do not run just yet,we will shortly

=================================================================

Copy/paste these instructions to notepad then disconnect from the internet

=================================================================

Go to

→ Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

======================================================

Reconnect to the internet

========================================================

Please download HijackThis to your desktop

Alternate link

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

=======================================
Logs Required
C:\Combofix.txt
Hijackthis log

boyster70 · 12-08-2007, 09:13 AM

Sorry for the delay I'll be working on it this weekend I started a new job and it's requiring more time than I thought. Again sorry for the delay.

Boyster70

boyster70 · 12-15-2007, 11:06 PM

Sorry for the delay other family problems.

Thanks for your help

Here is the combofix.txt and the Highjackthis.log

ComboFix 07-12-15.5 - Titan 2007-12-15 21:35:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -8:00]
Running from: C:\Documents and Settings\Titan\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Titan\Application Data\RACLE~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\Temporary
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-15 22:26 . 2007-12-15 22:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-15 22:26 . 2007-12-15 22:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-02 15:06 . 2007-12-02 15:06 <DIR> d-------- C:\Program Files\MSBuild
2007-12-02 14:57 . 2007-12-02 17:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-02 14:55 . 2007-12-02 14:55 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-02 14:53 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-02 14:39 . 2007-12-02 14:41 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-02 14:35 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-02 14:35 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-02 14:35 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-02 09:02 . 2007-12-02 09:02 <DIR> d-------- C:\Documents and Settings\test\Application Data\HP
2007-12-02 09:01 . 2007-12-02 09:01 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVG7
2007-12-02 09:00 . 2007-12-02 09:00 <DIR> d-------- C:\Documents and Settings\test\Application Data\Grisoft
2007-12-02 01:29 . 2007-12-02 01:29 <DIR> d-------- C:\Deckard
2007-12-02 01:25 . 2007-12-02 01:25 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-02 00:26 . 2007-12-02 00:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-02 00:11 . 2007-07-09 05:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-01 23:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-01 23:29 . 2007-12-01 23:29 <DIR> d-------- C:\ie-spyad_zo
2007-12-01 22:16 . 2007-12-01 23:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-01 22:16 . 2007-12-01 22:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-01 22:16 . 2007-12-01 22:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-01 22:16 . 2007-12-01 22:16 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-01 20:04 . 2007-12-01 20:04 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\Grisoft
2007-12-01 20:04 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-29 06:25 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-27 23:37 . 2007-12-15 22:17 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\AVG7
2007-11-27 23:36 . 2007-11-27 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 23:34 . 2007-11-27 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 23:34 . 2007-11-28 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 23:30 . 2007-12-02 01:29 <DIR> d-------- C:\my computer friend
2007-11-27 23:27 . 2007-11-27 23:28 782,732 --ahs---- C:\WINDOWS\system32\rmxnipsy.ini
2007-11-27 22:16 . 2007-11-27 23:26 778,973 --ahs---- C:\WINDOWS\system32\tuwhatap.ini
2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-27 21:15 . 2007-11-27 21:15 1,066 --ahs---- C:\WINDOWS\system32\coqvvdru.ini
2007-11-27 20:28 . 2007-11-27 21:12 1,006 --ahs---- C:\WINDOWS\system32\vpnowhmc.ini
2007-11-27 19:26 . 2007-11-27 19:26 774 --ahs---- C:\WINDOWS\system32\yupfrdhf.ini
2007-11-24 14:05 . 2007-11-27 19:20 714 --ahs---- C:\WINDOWS\system32\twasbhll.ini
2007-11-24 13:24 . 2007-11-24 13:57 594 --ahs---- C:\WINDOWS\system32\hhskudnm.ini
2007-11-24 13:00 . 2007-11-24 13:10 414 --ahs---- C:\WINDOWS\system32\qxblkfcj.ini
2007-11-24 12:07 . 2007-11-24 12:07 294 --ahs---- C:\WINDOWS\system32\vdhvxsoo.ini
2007-11-21 14:34 . 2007-11-24 11:16 690,080 --ahs---- C:\WINDOWS\system32\mdbgbggf.ini
2007-11-20 23:46 . 2007-11-20 23:46 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-20 23:41 . 2007-11-27 23:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-20 23:26 . 2007-11-20 23:26 <DIR> d-------- C:\Documents and Settings\Titan\Incomplete
2007-11-20 23:24 . 2007-11-27 23:29 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\LimeWire
2007-11-20 23:23 . 2007-11-24 12:11 <DIR> d-------- C:\Program Files\LimeWire
2007-11-20 23:13 . 2007-11-21 14:29 689,960 --ahs---- C:\WINDOWS\system32\vgmovwdl.ini
2007-11-20 18:22 . 2007-11-20 23:05 689,840 --ahs---- C:\WINDOWS\system32\cohyegco.ini
2007-11-20 17:43 . 2007-11-20 17:43 164 --a------ C:\install.dat
2007-11-20 17:42 . 2007-11-20 18:21 689,679 --ahs---- C:\WINDOWS\system32\ordsbstv.ini
2007-11-20 12:11 . 2007-11-20 12:09 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 11:51 . 2007-11-20 17:38 689,656 --ahs---- C:\WINDOWS\system32\gypsbvdf.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 23:25 --------- d-----w C:\Documents and Settings\Titan\Application Data\Apple Computer
2007-12-02 06:53 --------- d-----w C:\Program Files\iTunes
2007-12-01 21:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-16 01:21 1,936,635 --sha-w C:\WINDOWS\system32\bbbay.bak1
2007-07-16 02:27 6,369 --sha-w C:\WINDOWS\system32\cffhk.bak1
2007-07-28 01:49 6,545 --sha-w C:\WINDOWS\system32\cffhk.bak2
2007-07-15 01:24 6,369 --sha-w C:\WINDOWS\system32\dfeeg.bak1
2007-07-15 18:40 9,396 --sha-w C:\WINDOWS\system32\dfeeg.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-27 23:35]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 23:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 15:05:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"WebClient"=2 (0x2)
"DomainService"=2 (0x2)
"CryptSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 22:27:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RtlGina2.dll
.
Completion time: 2007-12-15 22:29:32 - machine was rebooted
.
2007-12-16 05:20:24 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:46 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5067 bytes

**TheBruce1** · 12-16-2007, 02:37 AM

Hello again

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

=======================

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\WINDOWS\system32\rmxnipsy.ini
C:\WINDOWS\system32\tuwhatap.ini
C:\WINDOWS\system32\coqvvdru.ini
C:\WINDOWS\system32\vpnowhmc.ini
C:\WINDOWS\system32\yupfrdhf.ini
C:\WINDOWS\system32\twasbhll.ini
C:\WINDOWS\system32\hhskudnm.ini
C:\WINDOWS\system32\qxblkfcj.ini
C:\WINDOWS\system32\vdhvxsoo.ini
C:\WINDOWS\system32\mdbgbggf.ini
C:\WINDOWS\system32\vgmovwdl.ini
C:\WINDOWS\system32\cohyegco.ini
C:\WINDOWS\system32\ordsbstv.ini
C:\WINDOWS\system32\gypsbvdf.ini
C:\WINDOWS\system32\bbbay.bak1
C:\WINDOWS\system32\cffhk.bak1
C:\WINDOWS\system32\cffhk.bak2
C:\WINDOWS\system32\dfeeg.bak1
C:\WINDOWS\system32\dfeeg.bak2

DirLook::
C:\my computer friend

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

========================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=========================
Logs Required
C:\Combofix.txt
Hijackthis log

boyster70 · 12-16-2007, 09:08 AM

Here are the log file you asked for. The subdirectory c:\my computer friend is a directory that I setup to up put files in during this process.

Thanks agan.

ComboFix 07-12-15.5 - Titan 2007-12-16 8:41:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.71 [GMT -8:00]
Running from: C:\Documents and Settings\Titan\Desktop\ComboFix.exe
Command switches used :: \\mine\temp\combofix\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\bbbay.bak1
C:\WINDOWS\system32\cffhk.bak1
C:\WINDOWS\system32\cffhk.bak2
C:\WINDOWS\system32\cohyegco.ini
C:\WINDOWS\system32\coqvvdru.ini
C:\WINDOWS\system32\dfeeg.bak1
C:\WINDOWS\system32\dfeeg.bak2
C:\WINDOWS\system32\gypsbvdf.ini
C:\WINDOWS\system32\hhskudnm.ini
C:\WINDOWS\system32\mdbgbggf.ini
C:\WINDOWS\system32\ordsbstv.ini
C:\WINDOWS\system32\qxblkfcj.ini
C:\WINDOWS\system32\rmxnipsy.ini
C:\WINDOWS\system32\tuwhatap.ini
C:\WINDOWS\system32\twasbhll.ini
C:\WINDOWS\system32\vdhvxsoo.ini
C:\WINDOWS\system32\vgmovwdl.ini
C:\WINDOWS\system32\vpnowhmc.ini
C:\WINDOWS\system32\yupfrdhf.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bbbay.bak1
C:\WINDOWS\system32\cffhk.bak1
C:\WINDOWS\system32\cffhk.bak2
C:\WINDOWS\system32\cohyegco.ini
C:\WINDOWS\system32\coqvvdru.ini
C:\WINDOWS\system32\dfeeg.bak1
C:\WINDOWS\system32\dfeeg.bak2
C:\WINDOWS\system32\gypsbvdf.ini
C:\WINDOWS\system32\hhskudnm.ini
C:\WINDOWS\system32\mdbgbggf.ini
C:\WINDOWS\system32\ordsbstv.ini
C:\WINDOWS\system32\qxblkfcj.ini
C:\WINDOWS\system32\rmxnipsy.ini
C:\WINDOWS\system32\tuwhatap.ini
C:\WINDOWS\system32\twasbhll.ini
C:\WINDOWS\system32\vdhvxsoo.ini
C:\WINDOWS\system32\vgmovwdl.ini
C:\WINDOWS\system32\vpnowhmc.ini
C:\WINDOWS\system32\yupfrdhf.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-15 22:30 . 2007-12-15 22:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-15 22:26 . 2007-12-15 22:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-15 22:26 . 2007-12-15 22:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-02 15:06 . 2007-12-02 15:06 <DIR> d-------- C:\Program Files\MSBuild
2007-12-02 14:57 . 2007-12-02 17:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-02 14:55 . 2007-12-02 14:55 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-02 14:53 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-02 14:39 . 2007-12-02 14:41 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-02 14:35 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-02 14:35 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-02 14:35 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-02 09:02 . 2007-12-02 09:02 <DIR> d-------- C:\Documents and Settings\test\Application Data\HP
2007-12-02 09:01 . 2007-12-02 09:01 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVG7
2007-12-02 09:00 . 2007-12-02 09:00 <DIR> d-------- C:\Documents and Settings\test\Application Data\Grisoft
2007-12-02 01:29 . 2007-12-02 01:29 <DIR> d-------- C:\Deckard
2007-12-02 01:25 . 2007-12-02 01:25 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-02 00:26 . 2007-12-02 00:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-02 00:11 . 2007-07-09 05:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-01 23:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-01 23:29 . 2007-12-01 23:29 <DIR> d-------- C:\ie-spyad_zo
2007-12-01 22:16 . 2007-12-01 23:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-01 22:16 . 2007-12-01 22:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-01 22:16 . 2007-12-01 22:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-01 22:16 . 2007-12-01 22:16 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-01 20:04 . 2007-12-01 20:04 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\Grisoft
2007-12-01 20:04 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-29 06:25 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-27 23:37 . 2007-12-16 08:00 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\AVG7
2007-11-27 23:36 . 2007-11-27 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-27 23:34 . 2007-11-27 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 23:34 . 2007-11-28 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 23:30 . 2007-12-16 08:39 <DIR> d-------- C:\my computer friend
2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-20 23:46 . 2007-11-20 23:46 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-20 23:41 . 2007-11-27 23:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-20 23:26 . 2007-11-20 23:26 <DIR> d-------- C:\Documents and Settings\Titan\Incomplete
2007-11-20 23:24 . 2007-11-27 23:29 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\LimeWire
2007-11-20 23:23 . 2007-11-24 12:11 <DIR> d-------- C:\Program Files\LimeWire
2007-11-20 17:43 . 2007-11-20 17:43 164 --a------ C:\install.dat
2007-11-20 12:11 . 2007-11-20 12:09 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 23:25 --------- d-----w C:\Documents and Settings\Titan\Application Data\Apple Computer
2007-12-02 06:53 --------- d-----w C:\Program Files\iTunes
2007-12-01 21:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\my computer friend ----

2007-12-03 23:05 1438 --a------ C:\my computer friend\IE7 problem web sites.txt
2007-12-02 01:29 686630 --a------ C:\my computer friend\dss.exe
2007-12-01 23:29 315590 --a------ C:\my computer friend\ie-spyad_zo.exe
2007-12-01 23:22 240904 --a------ C:\my computer friend\ZonedOut.zip
2007-12-01 23:16 4052 --a------ C:\my computer friend\Activescan.txt
2007-12-01 20:03 12413440 --a------ C:\my computer friend\avgas-setup-7.5.1.43.exe
2007-12-01 14:20 26980 --a------ C:\my computer friend\virus scan 12_1_07a.txt
2007-12-01 11:01 51100 --a------ C:\my computer friend\virus scan 12_1_07.txt
2007-11-30 23:04 42566 --a------ C:\my computer friend\virus scan 11_30_07.txt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-27 23:35]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 23:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 15:05:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"WebClient"=2 (0x2)
"DomainService"=2 (0x2)
"CryptSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 08:49:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-16 8:54:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-15 22:29
.
2007-12-16 07:12:23 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:23 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5066 bytes

boyster70 · 12-16-2007, 07:46 PM

That last fun through has IE7 running smooth again. Thanks for all the help. Is there any last steps that need to be taken?

Thank you for your time and being patient with me, I aprecate it.

Boyster

**TheBruce1** · 12-17-2007, 03:13 AM

Hello again

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Java(TM) 6 Update 2

Reboot when done

==========================

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

Please remember to close all other windows, including browsers then click Fix checked.

===============================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 U3.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

================================

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.

=====================================

Go here and do the BitDefender online virus scan.

* Click "I Agree" to agree to the EULA.
* Allow the ActiveX control to install when prompted.
* Leave the scanning options at default and press "Click here to scan" to begin the scan.
* Please refrain from using the computer until the scan is finished.
* When the scan is finished, click on "Click here to export the scan results"
* Save the report to your desktop then come back here and post it in your next reply.

===================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

====================================
Logs Required
BitDefender scan report
Hijackthis log

boyster70 · 12-17-2007, 07:25 AM

Wow this was more problematic than I had thought. Here is the BitDefender scan report and the Hijackthis log

BitDefender Online Scanner - Real Time Virus Report

Generated at: Mon, Dec 17, 2007 - 07:15:37
--------------------------------------------------------------------------------

Scan Info

Scanned Files
117251

Infected Files
0

Virus Detected

No virus found.

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:22 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5090 bytes

**TheBruce1** · 12-17-2007, 08:34 AM

Hello again

No Firewall Onboard

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

.

========================================

Well done,your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

=================

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.

Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

Only install one of the above

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
AVG Antispyware Free
Ad-Aware
Spybot S&D
Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Download Spyware Guard to catch and block spyware before it can execute.

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more,as we may mark this as resolved,thanks.

boyster70 · 12-17-2007, 06:00 PM

Thank you for all your time. I do appreciate the effort you put in helping me clean up my laptop.

Thanks again,

Boyster

12-05-2007, 06:56 AM	#2 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,490 OS: XP	Re: Random IE7 windows opening Hello boyster70 and welcome to TSF. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. =============================================================== Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone. ================================================================ Download ComboFix from Here or here Save it to your desktopDo not run just yet,we will shortly ================================================================= Copy/paste these instructions to notepad then disconnect from the internet ================================================================= Go to → Run → paste in the single line command & click OK "%userprofile%\desktop\combofix.exe" /killall When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ====================================================== Reconnect to the internet ======================================================== Please download HijackThis to your desktop Alternate link This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. ======================================= Logs Required C:\Combofix.txt Hijackthis log __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

12-08-2007, 09:13 AM	#3 (permalink)
boyster70 Registered User Join Date: Dec 2007 Location: Hayden, ID Posts: 7 OS: XP	Re: Random IE7 windows opening Sorry for the delay I'll be working on it this weekend I started a new job and it's requiring more time than I thought. Again sorry for the delay. Boyster70

12-15-2007, 11:06 PM	#4 (permalink)
boyster70 Registered User Join Date: Dec 2007 Location: Hayden, ID Posts: 7 OS: XP	Re: Random IE7 windows opening Sorry for the delay other family problems. Thanks for your help Here is the combofix.txt and the Highjackthis.log ComboFix 07-12-15.5 - Titan 2007-12-15 21:35:17.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -8:00] Running from: C:\Documents and Settings\Titan\desktop\combofix.exe Command switches used :: /killall * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data.\salesmonitor C:\Documents and Settings\All Users\Application Data.\winantispyware 2007 C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode C:\Documents and Settings\Titan\Application Data\RACLE~1 C:\Program Files\Common Files\winantispyware 2007 C:\Program Files\Common Files\WinAntiSpyware 2007\err.log C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe C:\Program Files\inetget2 C:\Program Files\ISM C:\Program Files\Temporary C:\temp\tn3 C:\WINDOWS\cookies.ini C:\WINDOWS\system32\B0 C:\WINDOWS\system32\b02FdUe C:\WINDOWS\system32\B1 C:\WINDOWS\system32\B2 C:\WINDOWS\system32\B5 C:\WINDOWS\system32\driver C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\core.sys C:\WINDOWS\system32\drivers\fopn.sys C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\winpfz32.sys C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\uninst2.htm C:\WINDOWS\unist1.htm C:\WINDOWS\wr.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CORE -------\LEGACY_DOMAINSERVICE -------\LEGACY_FOPN -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS -------\core -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 ))))))))))))))))))))))))))))))) . 2007-12-15 22:26 . 2007-12-15 22:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-15 22:26 . 2007-12-15 22:26 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-02 15:06 . 2007-12-02 15:06 <DIR> d-------- C:\Program Files\MSBuild 2007-12-02 14:57 . 2007-12-02 17:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2007-12-02 14:55 . 2007-12-02 14:55 <DIR> d-------- C:\Program Files\Reference Assemblies 2007-12-02 14:53 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-12-02 14:39 . 2007-12-02 14:41 <DIR> d-------- C:\WINDOWS\system32\URTTemp 2007-12-02 14:35 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-12-02 14:35 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-12-02 14:35 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-12-02 09:02 . 2007-12-02 09:02 <DIR> d-------- C:\Documents and Settings\test\Application Data\HP 2007-12-02 09:01 . 2007-12-02 09:01 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVG7 2007-12-02 09:00 . 2007-12-02 09:00 <DIR> d-------- C:\Documents and Settings\test\Application Data\Grisoft 2007-12-02 01:29 . 2007-12-02 01:29 <DIR> d-------- C:\Deckard 2007-12-02 01:25 . 2007-12-02 01:25 <DIR> d-------- C:\Program Files\CONEXANT 2007-12-02 00:26 . 2007-12-02 00:26 <DIR> d-------- C:\Program Files\MSXML 6.0 2007-12-02 00:11 . 2007-07-09 05:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-12-01 23:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2007-12-01 23:29 . 2007-12-01 23:29 <DIR> d-------- C:\ie-spyad_zo 2007-12-01 22:16 . 2007-12-01 23:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-01 22:16 . 2007-12-01 22:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-01 22:16 . 2007-12-01 22:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-01 22:16 . 2007-12-01 22:16 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-01 20:04 . 2007-12-01 20:04 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\Grisoft 2007-12-01 20:04 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-11-29 06:25 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-11-27 23:37 . 2007-12-15 22:17 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\AVG7 2007-11-27 23:36 . 2007-11-27 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-11-27 23:34 . 2007-11-27 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-27 23:34 . 2007-11-28 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-11-27 23:30 . 2007-12-02 01:29 <DIR> d-------- C:\my computer friend 2007-11-27 23:27 . 2007-11-27 23:28 782,732 --ahs---- C:\WINDOWS\system32\rmxnipsy.ini 2007-11-27 22:16 . 2007-11-27 23:26 778,973 --ahs---- C:\WINDOWS\system32\tuwhatap.ini 2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-11-27 21:15 . 2007-11-27 21:15 1,066 --ahs---- C:\WINDOWS\system32\coqvvdru.ini 2007-11-27 20:28 . 2007-11-27 21:12 1,006 --ahs---- C:\WINDOWS\system32\vpnowhmc.ini 2007-11-27 19:26 . 2007-11-27 19:26 774 --ahs---- C:\WINDOWS\system32\yupfrdhf.ini 2007-11-24 14:05 . 2007-11-27 19:20 714 --ahs---- C:\WINDOWS\system32\twasbhll.ini 2007-11-24 13:24 . 2007-11-24 13:57 594 --ahs---- C:\WINDOWS\system32\hhskudnm.ini 2007-11-24 13:00 . 2007-11-24 13:10 414 --ahs---- C:\WINDOWS\system32\qxblkfcj.ini 2007-11-24 12:07 . 2007-11-24 12:07 294 --ahs---- C:\WINDOWS\system32\vdhvxsoo.ini 2007-11-21 14:34 . 2007-11-24 11:16 690,080 --ahs---- C:\WINDOWS\system32\mdbgbggf.ini 2007-11-20 23:46 . 2007-11-20 23:46 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-11-20 23:41 . 2007-11-27 23:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-20 23:26 . 2007-11-20 23:26 <DIR> d-------- C:\Documents and Settings\Titan\Incomplete 2007-11-20 23:24 . 2007-11-27 23:29 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\LimeWire 2007-11-20 23:23 . 2007-11-24 12:11 <DIR> d-------- C:\Program Files\LimeWire 2007-11-20 23:13 . 2007-11-21 14:29 689,960 --ahs---- C:\WINDOWS\system32\vgmovwdl.ini 2007-11-20 18:22 . 2007-11-20 23:05 689,840 --ahs---- C:\WINDOWS\system32\cohyegco.ini 2007-11-20 17:43 . 2007-11-20 17:43 164 --a------ C:\install.dat 2007-11-20 17:42 . 2007-11-20 18:21 689,679 --ahs---- C:\WINDOWS\system32\ordsbstv.ini 2007-11-20 12:11 . 2007-11-20 12:09 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-11-20 11:51 . 2007-11-20 17:38 689,656 --ahs---- C:\WINDOWS\system32\gypsbvdf.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-02 23:25 --------- d-----w C:\Documents and Settings\Titan\Application Data\Apple Computer 2007-12-02 06:53 --------- d-----w C:\Program Files\iTunes 2007-12-01 21:08 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-07-16 01:21 1,936,635 --sha-w C:\WINDOWS\system32\bbbay.bak1 2007-07-16 02:27 6,369 --sha-w C:\WINDOWS\system32\cffhk.bak1 2007-07-28 01:49 6,545 --sha-w C:\WINDOWS\system32\cffhk.bak2 2007-07-15 01:24 6,369 --sha-w C:\WINDOWS\system32\dfeeg.bak1 2007-07-15 18:40 9,396 --sha-w C:\WINDOWS\system32\dfeeg.bak2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24] "NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-27 23:35] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 23:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22] NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 15:05:52] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZuneNetworkSvc"=2 (0x2) "WebClient"=2 (0x2) "DomainService"=2 (0x2) "CryptSvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "ose"=3 (0x3) S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-15 22:27:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\RtlGina2.dll . Completion time: 2007-12-15 22:29:32 - machine was rebooted . 2007-12-16 05:20:24 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:02:46 PM, on 12/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\NETGEAR\WG111v2\WG111v2.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5067 bytes

12-16-2007, 09:08 AM	#6 (permalink)
boyster70 Registered User Join Date: Dec 2007 Location: Hayden, ID Posts: 7 OS: XP	Re: Random IE7 windows opening Here are the log file you asked for. The subdirectory c:\my computer friend is a directory that I setup to up put files in during this process. Thanks agan. ComboFix 07-12-15.5 - Titan 2007-12-16 8:41:47.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.71 [GMT -8:00] Running from: C:\Documents and Settings\Titan\Desktop\ComboFix.exe Command switches used :: \\mine\temp\combofix\CFscript.txt * Created a new restore point FILE C:\WINDOWS\system32\bbbay.bak1 C:\WINDOWS\system32\cffhk.bak1 C:\WINDOWS\system32\cffhk.bak2 C:\WINDOWS\system32\cohyegco.ini C:\WINDOWS\system32\coqvvdru.ini C:\WINDOWS\system32\dfeeg.bak1 C:\WINDOWS\system32\dfeeg.bak2 C:\WINDOWS\system32\gypsbvdf.ini C:\WINDOWS\system32\hhskudnm.ini C:\WINDOWS\system32\mdbgbggf.ini C:\WINDOWS\system32\ordsbstv.ini C:\WINDOWS\system32\qxblkfcj.ini C:\WINDOWS\system32\rmxnipsy.ini C:\WINDOWS\system32\tuwhatap.ini C:\WINDOWS\system32\twasbhll.ini C:\WINDOWS\system32\vdhvxsoo.ini C:\WINDOWS\system32\vgmovwdl.ini C:\WINDOWS\system32\vpnowhmc.ini C:\WINDOWS\system32\yupfrdhf.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\bbbay.bak1 C:\WINDOWS\system32\cffhk.bak1 C:\WINDOWS\system32\cffhk.bak2 C:\WINDOWS\system32\cohyegco.ini C:\WINDOWS\system32\coqvvdru.ini C:\WINDOWS\system32\dfeeg.bak1 C:\WINDOWS\system32\dfeeg.bak2 C:\WINDOWS\system32\gypsbvdf.ini C:\WINDOWS\system32\hhskudnm.ini C:\WINDOWS\system32\mdbgbggf.ini C:\WINDOWS\system32\ordsbstv.ini C:\WINDOWS\system32\qxblkfcj.ini C:\WINDOWS\system32\rmxnipsy.ini C:\WINDOWS\system32\tuwhatap.ini C:\WINDOWS\system32\twasbhll.ini C:\WINDOWS\system32\vdhvxsoo.ini C:\WINDOWS\system32\vgmovwdl.ini C:\WINDOWS\system32\vpnowhmc.ini C:\WINDOWS\system32\yupfrdhf.ini . ((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 ))))))))))))))))))))))))))))))) . 2007-12-15 22:30 . 2007-12-15 22:30 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-15 22:26 . 2007-12-15 22:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-15 22:26 . 2007-12-15 22:26 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-02 15:06 . 2007-12-02 15:06 <DIR> d-------- C:\Program Files\MSBuild 2007-12-02 14:57 . 2007-12-02 17:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2007-12-02 14:55 . 2007-12-02 14:55 <DIR> d-------- C:\Program Files\Reference Assemblies 2007-12-02 14:53 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-12-02 14:39 . 2007-12-02 14:41 <DIR> d-------- C:\WINDOWS\system32\URTTemp 2007-12-02 14:35 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-12-02 14:35 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-12-02 14:35 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-12-02 09:02 . 2007-12-02 09:02 <DIR> d-------- C:\Documents and Settings\test\Application Data\HP 2007-12-02 09:01 . 2007-12-02 09:01 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVG7 2007-12-02 09:00 . 2007-12-02 09:00 <DIR> d-------- C:\Documents and Settings\test\Application Data\Grisoft 2007-12-02 01:29 . 2007-12-02 01:29 <DIR> d-------- C:\Deckard 2007-12-02 01:25 . 2007-12-02 01:25 <DIR> d-------- C:\Program Files\CONEXANT 2007-12-02 00:26 . 2007-12-02 00:26 <DIR> d-------- C:\Program Files\MSXML 6.0 2007-12-02 00:11 . 2007-07-09 05:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-12-01 23:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2007-12-01 23:29 . 2007-12-01 23:29 <DIR> d-------- C:\ie-spyad_zo 2007-12-01 22:16 . 2007-12-01 23:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-01 22:16 . 2007-12-01 22:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-01 22:16 . 2007-12-01 22:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-01 22:16 . 2007-12-01 22:16 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-01 20:04 . 2007-12-01 20:04 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\Grisoft 2007-12-01 20:04 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-11-29 06:25 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-11-27 23:37 . 2007-12-16 08:00 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\AVG7 2007-11-27 23:36 . 2007-11-27 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-11-27 23:34 . 2007-11-27 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-27 23:34 . 2007-11-28 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-11-27 23:30 . 2007-12-16 08:39 <DIR> d-------- C:\my computer friend 2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-11-27 21:20 . 2007-11-27 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-11-20 23:46 . 2007-11-20 23:46 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-11-20 23:41 . 2007-11-27 23:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-20 23:26 . 2007-11-20 23:26 <DIR> d-------- C:\Documents and Settings\Titan\Incomplete 2007-11-20 23:24 . 2007-11-27 23:29 <DIR> d-------- C:\Documents and Settings\Titan\Application Data\LimeWire 2007-11-20 23:23 . 2007-11-24 12:11 <DIR> d-------- C:\Program Files\LimeWire 2007-11-20 17:43 . 2007-11-20 17:43 164 --a------ C:\install.dat 2007-11-20 12:11 . 2007-11-20 12:09 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-02 23:25 --------- d-----w C:\Documents and Settings\Titan\Application Data\Apple Computer 2007-12-02 06:53 --------- d-----w C:\Program Files\iTunes 2007-12-01 21:08 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\my computer friend ---- 2007-12-03 23:05 1438 --a------ C:\my computer friend\IE7 problem web sites.txt 2007-12-02 01:29 686630 --a------ C:\my computer friend\dss.exe 2007-12-01 23:29 315590 --a------ C:\my computer friend\ie-spyad_zo.exe 2007-12-01 23:22 240904 --a------ C:\my computer friend\ZonedOut.zip 2007-12-01 23:16 4052 --a------ C:\my computer friend\Activescan.txt 2007-12-01 20:03 12413440 --a------ C:\my computer friend\avgas-setup-7.5.1.43.exe 2007-12-01 14:20 26980 --a------ C:\my computer friend\virus scan 12_1_07a.txt 2007-12-01 11:01 51100 --a------ C:\my computer friend\virus scan 12_1_07.txt 2007-11-30 23:04 42566 --a------ C:\my computer friend\virus scan 11_30_07.txt ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24] "NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-27 23:35] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 23:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22] NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 15:05:52] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZuneNetworkSvc"=2 (0x2) "WebClient"=2 (0x2) "DomainService"=2 (0x2) "CryptSvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "ose"=3 (0x3) S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-16 08:49:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2007-12-16 8:54:25 - machine was rebooted C:\ComboFix2.txt ... 2007-12-15 22:29 . 2007-12-16 07:12:23 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:02:23 AM, on 12/16/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\WG111v2\WG111v2.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5066 bytes

12-16-2007, 07:46 PM	#7 (permalink)
boyster70 Registered User Join Date: Dec 2007 Location: Hayden, ID Posts: 7 OS: XP	Re: Random IE7 windows opening That last fun through has IE7 running smooth again. Thanks for all the help. Is there any last steps that need to be taken? Thank you for your time and being patient with me, I aprecate it. Boyster

12-17-2007, 03:13 AM	#8 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,490 OS: XP	Re: Random IE7 windows opening Hello again Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Java(TM) 6 Update 2 Reboot when done ========================== Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe *Please remember to close all other windows, including browsers then click Fix checked.* =============================== Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6 U3. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "*Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version. ================================ Clear IE7 cookies On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. Click OK, and then click OK again. ===================================== Go here* and do the BitDefender online virus scan. * Click "I Agree" to agree to the EULA. * Allow the ActiveX control to install when prompted. * Leave the scanning options at default and press "Click here to scan" to begin the scan. * Please refrain from using the computer until the scan is finished. * When the scan is finished, click on "Click here to export the scan results" * Save the report to your desktop then come back here and post it in your next reply. =================================== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ==================================== Logs Required BitDefender scan report Hijackthis log __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

12-17-2007, 07:25 AM	#9 (permalink)
boyster70 Registered User Join Date: Dec 2007 Location: Hayden, ID Posts: 7 OS: XP	Re: Random IE7 windows opening Wow this was more problematic than I had thought. Here is the BitDefender scan report and the Hijackthis log BitDefender Online Scanner - Real Time Virus Report Generated at: Mon, Dec 17, 2007 - 07:15:37 -------------------------------------------------------------------------------- Scan Info Scanned Files 117251 Infected Files 0 Virus Detected No virus found. -------------------------------------------------------------------------------- This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:22:22 AM, on 12/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\WG111v2\WG111v2.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196580840671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196580812340 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5090 bytes

12-17-2007, 08:34 AM	#10 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,490 OS: XP	Re: Random IE7 windows opening Hello again No Firewall Onboard You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice: Comodo Personal Firewall ZoneAlarm . ======================================== Well done,your logs are clean. Click start>run>type(or copy/paste command into run box): ComboFix /u Click ok. ================= Clear IE7 cookies On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. Click OK, and then click OK again. Clear Firefox cookies/cache* • Select "Tools" • Select "Options". • Select "Privacy". • In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want. • Click OK. • In Private area click "Clear Now". ------------------------------------------------------------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. Only install one of the above -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Avant Firefox Opera K-Meleon ------------------------------------------------------------------------------------------ Free Antispyware Products SuperAntiSpyware AVG Antispyware Free Ad-Aware Spybot S&D Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Download Spyware Guard to catch and block spyware before it can execute. ------------------------------------------------------------------ IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List. Download and installation instructions for IE-Spyad™ Here ----------------------------------------- The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. If your having trouble downloading & extracting,see link below for guidance: http://www.mvps.org/winhelp2002/hosts2.htm Once you have extracted the host file,double click on it and a new window will open. Double-click on mvps.batand follow the prompts --------------------------------------------------------------- Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ---------------------------------------- SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. ============================================== Also, please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more,as we may mark this as resolved,thanks. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating**

12-17-2007, 06:00 PM	#11 (permalink)
boyster70 Registered User Join Date: Dec 2007 Location: Hayden, ID Posts: 7 OS: XP	Re: Random IE7 windows opening Thank you for all your time. I do appreciate the effort you put in helping me clean up my laptop. Thanks again, Boyster