Skip to main content

1972vet

3.3K Posts

February 26th, 2007 20:00

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleepingcomputer

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads please post back the text that will open (report.txt) and a new Hijackthis log.
Thanks!

djscas

47 Posts

March 3rd, 2007 18:00

I've run the two programs as you requested and the results follow.  Appreciate any further assistance you can provide.  Thanks, again.
 
Results for "fixit" scan:
 
 
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
»»»»» System restarted
 
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdobw.exe"
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
 
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
 
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"UserFaultCheck"="%systemroot%\\system32\\dumprep 0 -u"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"RoxWatchTray"="\"C:\\Program Files\\Common Files\\Roxio Shared\\SharedCOM8\\RoxWatchTray.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Drag to Disc\\DrgToDsc.exe\""
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office X3\\Programs\\QFSCHD130.EXE\""
"Logitech Utility"="Logi_MwX.Exe"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"FinishOptions"="C:\\Program Files\\Hewlett-Packard\\hp LaserJet 2410 2420 2430\\Installer\\hpbinxst.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTHelper"="CTHELPER.EXE"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Creative Detector"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
 
Results of Hijackthis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 3:22:26 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\\CALMAIN.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [FinishOptions] C:\Program Files\Hewlett-Packard\hp LaserJet 2410 2420 2430\Installer\hpbinxst.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158883620281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158883613968
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72D65052-D9A1-49E1-827E-2B2A9232625A}: NameServer = 85.255.116.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8492193-F47B-4AA0-9C10-7D63244C15D0}: NameServer = 207.255.0.130,207.255.0.131
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
 

1972vet

3.3K Posts

March 3rd, 2007 19:00

Please select and install one of these free Firewall applications:
ZoneAlarm Free Version
Outpost Free
Kerio

When the installation completes successfully, reboot the computer. DO NOT RECONNECT TO THE INTERNET WHEN THE SYSTEM COMES BACK UP.

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save
After all of the fixes are complete it is very important that you enable Real-time Protection again.


Please run HijackThis again and check the following:
O4 - HKLM\..\Run: %systemroot%\system32\dumprep 0 -
O17 - HKLM\System\CCS\Services\Tcpip\..\{72D65052-D9A1-49E1-827E-2B2A9232625A}: NameServer = 85.255.116.108
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93

Close all windows now except for the hijackthis application window, then click the Fix Checked button.

Reboot. When the system comes back up, re-enable Windows Defender, connect to the internet and:

Please download F-Secure Blacklight (blbeta.exe) and save to your desktop.
  • * Double-click blbeta.exe then accept the agreement. Now disconnect from the internet and close all other applications you had open. DO NOTHING ELSE WITH YOUR COMPUTER WHILE THIS SCAN IS RUNNING.
    * Click Scan -> Next.
    * After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose rename for any items yet! I need to see the log first, because legitimate items can also be present there...
    * A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
    * Please post the contents of the log in your next reply along with a fresh HijackThis log. How's the computer running now?




djscas

47 Posts

March 4th, 2007 12:00

Thanks a million......
 
The only problem I've got at this time is that my Norton Systemworks 2007 and Norton Antivirus 2007 are not working.  They will not open from the desktop icons or from the Programs menu.  I get an error message from the program that it cannot open.  If you can help me get those two programs back on track now I think I'm back in business.
 
The URL links from the search results appear to work fine and take me to the target website without the doubleclicking problem.
 
Following is the results from the blbeta/ blacklight scan... fsblxxxxxxxxxxxxxx.log file:
 
03/04/07 09:12:09 [Info]: BlackLight Engine 1.0.55 initialized
03/04/07 09:12:09 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/04/07 09:12:09 [Note]: 7019 4
03/04/07 09:12:09 [Note]: 7005 0
03/04/07 09:12:14 [Note]: 7006 0
03/04/07 09:12:14 [Note]: 7011 1636
03/04/07 09:12:14 [Note]: 7026 0
03/04/07 09:12:14 [Note]: 7026 0
03/04/07 09:12:28 [Note]: FSRAW library version 1.7.1021
03/04/07 09:41:03 [Note]: 7007 0
 
And this is the results of the new hijackthis scan log file:
 
Logfile of HijackThis v1.99.1
Scan saved at 9:41:21 AM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\\CALMAIN.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [FinishOptions] C:\Program Files\Hewlett-Packard\hp LaserJet 2410 2420 2430\Installer\hpbinxst.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158883620281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158883613968
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8492193-F47B-4AA0-9C10-7D63244C15D0}: NameServer = 207.255.0.130,207.255.0.131
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\\CALMAIN.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 
 

djscas

47 Posts

March 5th, 2007 10:00

Before closing this problem... could you, please describe in layman's terms just what caused my problem of redirecting the URL hyperlinks in IE.  And how did the solutions you prescribed solve it?
 
I'd like to avoid the situation in the future, if I can at all do that.
 
Thanks, again.

1972vet

3.3K Posts

March 5th, 2007 15:00

Your Blacklight log looks fine and so does your latest HijackThis log.

Quote: Before closing this problem... could you, please describe in layman's terms just what caused my problem of redirecting the URL hyperlinks in IE. And how did the solutions you prescribed solve it?
I'll certainly give it the ole "College" try. The infection you had is known as "Wareout". The infection lately is one that comes with a rootkit, although your system does not appear to have THIS rootkit installed. This infection has to be downloaded purposely...that's not to say you KNEW you were downloading it, but you DID download something that included this malware.

The rootkit is designed to hide malware on your system and prevent common security tools from finding and removing it. The rootkit is also a means by which the one who crafted it can keep and maintain control over your computer. In your case, the redirection to other web sites is known as a DNS hijack and that's what this WareOut infection was designed to do.

The solution is courtesy of "Lonny R Jones"...(he's one of us malware fighters) who wrote the "fix" tool for this specific infection.

For more about rootkits, click Here.

I'd like to avoid the situation in the future, if I can at all do that.
You can. Be careful what you download. There are other protective tools we can install...more on that later on.


Your problem with Symantec is a typical one. I myself dumped symantec because of the multitude of "uninstall/reinstall" recommendation error messages I was receiving.

The software is fine for corporate use but I never ever recommend it for home users simply because of the user "unfriendly" propensity. Corporations are filled with IT department personnel who get paid whether they do anything or not. When one or more of the company computers begin to complain about Symantec's product not working (again and again), it's nothing for the company to send the techs to their rescue...but the home user has to wrestle with it on their own.

Your best bet is to try the Symantec's Support site AutoFix Tool...and don't be surprised if a "reinstall" of the software is recommended.

Post back and let us know how it's performing for you now and if you are having any other issues. Thanks!

djscas

47 Posts

March 6th, 2007 11:00

Thanks, again, for getting back to me.  As of this morning everything is working fine.  I had to reinstall Symantec systemworks 2007 and some difficulties doing that.  After using the Norton remove tool and reinstalling I got through ok until I went to activate.  Couldn't do it.  Called Symantec support and the young lady, while difficult to understand, was courteous and knew the answers to the problem.  Got that fixed and now back in business with my antivirus up to date and activated.
 
Not sure what I downloaded, but I've upped the security on my IE7 page and can get a look at any website wanting to load cookies, etc., onto my pc with the chance to deny it if I don't recognize the company or site.
 
Again, thanks.

1972vet

3.3K Posts

March 6th, 2007 14:00

With as nasty an infection that you had, I would imagine there is some disk clutter left over as well as a badly fragmented disk.

We need to tidy up a bit and sort things in their proper order.

If you have more than one drive you can follow these instructions below for each drive, substituting the drive letter in each instance:

Delete Cookies

*Note*
Deleting ALL cookies will require you to log back into any web sites you visit that required you to log on with a user ID and password.

You CAN be selective here and keep the good cookies if you think you know which ones they are. I recommend deleting "All" cookies in order to remove any problems that may be present.
If you elect to delete All cookies, you will find there are a couple that Windows will not permit you to delete. This is normal as there are a few files (from your most recent log on session) that are in use by the operating system. You will also find a few Windows Temp files in use by the system
  • Click Start-->Run and Type Cookies then click OK.
  • Click "Edit" from the menu at the top then scroll to and click on:
    Select All

    Next, click "File" from the menu at the top. Scroll to and select Delete

    Return to your desktop.

Delete the Contents of the Prefetch Folder
  • Click Start-->Run and Type Prefetch then click OK.
  • Click "Edit" from the menu at the top then scroll to and click on:
    Select All
    Next, click "File" from the menu at the top. Scroll to and select Delete

    Return to your desktop

Delete Windows Temp Files
It is important to pay attention here to what files may remain after you click "Delete". There are some windows temp files that the system will not allow you to delete which is normal. You should have only two or three files that remain. Please select what files remain (a few at a time) and delete everything that windows will allow you to delete.
  • Click Start-->Run, and Type Temp then click OK.
  • Click "Edit" from the menu at the top then scroll to and click on:
    Select All
    Next, click "File" from the menu at the top. Scroll to and select Delete

    Return to your desktop

Delete User Temp Files
  • Click Start-->Run, and Type %Temp% then click OK.
  • Click "Edit" from the menu at the top then scroll to and click on:
    Select All
    Next, click "File" from the menu at the top. Scroll to and select Delete
    Return to your desktop


Delete other Unnecessary Files
  • Click Start-->My Computer-->Right Click on C:/ Drive
  • Select "Properties" then click the Disk Clean-Up button.
    Select everything Except for "Office Set-Up Files" (if present) and "Compress Old Files". Click "OK".

Run CHKDSK
  • Click the "Tools" Tab. Under Error Checking click the "Check Now" button. Under Check Disk Options put a check in Both boxes then Click Start. Click Yes then Click OK and reboot the system.

This first reboot after you've completed the cleanup session will take a bit longer than usual. Let your system stabilize with no intervention... DO NOTHING WITH YOUR COMPUTER AT THIS TIME

Allow the scan to complete. Upon completion, windows will reboot the system again.

When the system comes back up and has stabilized (watch for the light on your CPU tower to stop blinking or at least slow to a crawl...this may take maybe 3 minutes or so) then continue with these instructions below:

We may need to defragment the disk as well, but to check it first for the percentage of fragmented files, please do this:

Please click Start-->run
and type or copy and paste the following in the run box, then click "OK":
CMD

When the command prompt opens, copy and paste the following then hit your enter key:
defrag c: -a

...the cursor will blink for a few seconds while the defrag utility scans the disk then you will be shown the analysis results. If the results show the percent fragmented or the percent of file fragmentation is beyond 2 or 3 percent, then continue with a defragmentation of the disk (you should ALWAYS ignore the You do not need to defragment this volume recommendation that windows presents because it is only a standard which is based on the worst case scenarios (and largely for a corporate setting rather than a home user).

I believe you won't get a "you need to defragment this volume" message from windows until the percentage of file fragmentation is way beyond 20 percent...I don't believe I've ever seen one on my pc but I DO know if I waited that long to defragment, my computer would be barely limping along.

To defragment the volume using a system command (which is faster by the way) rather than using windows, please do this:

Click Start-->All Programs-->Accessories, and select The Command Prompt again.

Copy and paste the following text at the C :\...> Prompt, and press the ENTER key.
defrag c:

You should be shown an analysis of the fragmented files again...the cursor should drop down and return to the left side of the screen. It will just blink continuously and may appear to you that nothing is happening but windows is running the defragmentation utility through the system command.

Allow the defragmentation to complete. When it completes, your cursor will return to it's normal "Ready" position. It will most probably look like this:
C:\Documents and Settings\Owner>(or your log on user name that you assigned yourself) and the cursor will be blinking again as it is positioned at the end of that file path named above.

When you see that, then the fragmentation utility has finished. Close the Command Prompt window and reboot the computer again to properly record the changes to the disk.


Now that your system is clean and running the way you expect, let's create a new restore point you can refer to if the need should arise at some time in the future.

Please click "Start > Programs > Accessories > System Tools > System Restore"
In the new window, check the 'Create a restore point' in the right pane and click "Next".
In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
Click "Create" and reboot your computer.

There's a few more things you can do to help prevent spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often (once a week is fine).

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least ( but not more than ) one of these types of third party firewalls running on board:
Kerio Personal Firewall
Zone Alarm
Outpost Free

Stay updated with the most recent Windows patches using
Microsoft's Windows Update.

Using the alternate browser that you have chosen can reduce your chance of certain infections installing themselves. We actually DO recommend Mozilla Firefox. If those of you who are just reading through this thread don't already have "Firefox", please consider installing and using this browser for surfing. Remember to keep Internet Explorer as your default browser so there will be no interference with your Windows Automatic Updates.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. Download the Basic or Slim version unless you WANT the Yahoo Toolbar.
Or if you just want to run your on board Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files

So how did I get infected in the first place?
Regards, and Happy Surfing!

djscas

47 Posts

March 9th, 2007 19:00

Short follow-up.
 
The same problem appears in most all of the tools options, including changing the level of security.  when I click on OK or Apply, the system appears to hang.  However, I've just noted that the changes seem to go through prior to the hang, because when I finally get out of the hung IE7 and then go back in the changes are there, e.g., home page and security levels are applied.
 
So, again, can you assist with this, hopefully, last bit of a problem.
 
Thanks

djscas

47 Posts

March 9th, 2007 19:00

Thanks for the follow-up.  I've run through your last suggestions.  Things seem to be doing pretty well with the exception of a couple of glitches in IE7...
 
Under Tools --------> Internet Options
 
When I try to set the home page by using "Use Current Page" and then click "Apply" the system hangs... with the cursor hourglass just sitting there.  If I go into task manager and click close for the program, it indicates that the program isn't responding.
 
Secondly, again under Tools ------------> Internet Options
 
When I select Browsing History and click on Delete I run into a problem if I select "Delete All"  The culprit seems to be deleting the History.....   If I selectively go down the list the other options will all "delete."  But when I get to the Browsing History and press Delete, I again get a system hang with the mouse cursor just sitting there as an hourglass.
 
I've reinstalled IE7 with all the updates, but the problem/s still persist.
 
Sorry to continue to bother you, but can you assist in this one final cleanup?
 
Thanks.

djscas

47 Posts

March 10th, 2007 00:00

And just one more note.... I just ran Disk Cleanup and CCleaner again.  At this point in time I am not having the problems described above.  Have been in and out of IE7 a couple of times and tried setting the home page, security levels, and deleting files.  All appear to be working again as they should.  I'll try again tomorrow and let you know again if any changes.
 
Good stuff you recommended.

1972vet

3.3K Posts

March 10th, 2007 01:00

The fact that you WERE unable to change your start page I believe is related to the inability to delete your history file. I'm glad you resolved it...you can see the need to cleanup the disk often.

However, to prevent the same problem from reoccuring, we need to change some settings in the browser. Be certain first to close all open applications including this browser window. We need to change the browser settings using the control panel and NOT the browser.

Click start--Control Panel-->Internet Options...under the Browsing history section, click the Settings button.

Change the Disk space to use to "50". Next, at the bottom, change the Days to keep pages in history to "0". Click OK, Apply it and OK it. Close all windows and reboot. Go back to Internet Options the same way (without opening the browser) and try your "Delete all" option again. You should not have the hang problem again. Post back your results.

djscas

47 Posts

March 10th, 2007 11:00

I did have the problem return this morning.  Tried your last suggestions and made the changes from within the Internet Connections box from the Control Panel.  It did not correct the error.  Continues to hang when  trying to save the home page, delete history and change security settings.  When I try to delete the history it goes to the "deleting history" dialogue box and the progress meter just runs continuously until you go to the Task Manager to exit the program.  Can't stop it with clicking on cancel or the upper left X from within the dialogue box.
 
To the best of my knowledge I changed nothing from last evening to this morning on the system.  And last evening when I shut it down it was working fine.
 
So........... where to from here?

1972vet

3.3K Posts

March 10th, 2007 13:00

Please download Silent Runners to your Desktop.

Right click the "SilentRunners.zip" folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in SilentRunners
Click "Next", and then click "Finish".

Double-click on the file "Silent Runners.vbs. It will ask you if you want to skip the supplementary searchs -- click 'No'
Please wait while the script runs (it takes between 1 and 2 minutes). Once it completes, a textbox will appear and the folder you launched SilentRunners will have a text file in it called "Startup Programs (ComputerName).txt".
Please post the information from that file in your next post.


Download GMER and extract it to it's own folder. Read here how to unzip/extract properly.

Next, run the Gmer.exe program and click the "Rootkit" tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".

Next, select all the disk partitions (C:\, D:\ etc) from the list.
Finally, click "Scan" and allow the scan to complete.

If you're having problems with running gmer.exe, try it in Safe Mode.
This tool works in Safe Mode other rootkit revealers don't.

When the scan is completed, click "Copy" to copy the log. Please post the contents of that log on your next reply.

djscas

47 Posts

March 13th, 2007 00:00

Second half of the Silent Runners Log:
 
_______________________________________________________________________
 

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_BINARY) hex:82 FF FF 03
{unrecognized setting}
"NoViewOnDrive" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoComputersNearMe" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
"Colors" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\DELL.BMP"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\DELL.BMP"

Enabled Scheduled Tasks:
------------------------
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Norton AntiVirus - Run Full System Scan - David Sheneman" -> launches: "C:\PROGRA~1\NORTON~2\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe  /CUSTOM /SCHEDULE /AUTO" ["Symantec Corporation"]
"SpywareBlaster" -> launches: "C:\PROGRA~1\SPYWAR~1\SPYWAR~1.EXE" [null data]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
  -> {HKLM...CLSID} = "&Links"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {HKLM...CLSID} = "&Google"
                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
  -> {HKLM...CLSID} = "&Google"
                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{9455301C-CF6B-11D3-A266-00C04F689C50}\(Default) = "Encarta &Researcher"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL" [MS]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5E638779-1818-4754-A595-EF1C63B87A56}\
"ButtonText" = "Express Cleanup"
"MenuText" = "Express Cleanup"
"Exec" = "C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk" [null data]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\\CALMAIN.exe" ["Canon Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]
Norton UnErase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE" ["Symantec Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Roxio Hard Drive Watcher, RoxWatch, ""C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe"" ["Sonic Solutions"]
RoxMediaDB, RoxMediaDB, ""C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe"" ["Sonic Solutions"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]

Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Master Monitor\Driver = "hpbmmon.dll" ["Hewlett-Packard"]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
Ice Monitor C\Driver = "BiCMonNT.dll" ["Black Ice Software"]
Ice Monitor M\Driver = "BiMMonNT.dll" ["Black Ice Software"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
< >: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 23 seconds.
---------- (total run time: 66 seconds)

Was this post helpful?

View All

No Events found!

Top