# Hijacked browser? Computer?



## Tech_Gal (Nov 22, 2009)

Okay, I am throwing my hands in the air on this, I need help! 

A few very long days ago I downloaded AMS Beauty Studio and my computer went haywire. I use Avast antispyware and it was popping up so many warnings that I couldn't do anything. Avast couldn't deal with the file at all so it just kept going in a circle. So I tried to run Malwarebytes and it had been disabled and whatever this smart virus/malware/spyware was it was able to disable it every time I tried to reinstall it. I finally got it to run by changing its name and it found the Trojans listed below:


Memory Processes Infected:
C:\Windows\msb.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Users\Angi\AppData\Local\Temp\c.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mailblocker (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Angi\AppData\Local\Temp\c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


But the story does not stop there. I thought that I had beat whatever it was but then, within a matter of minutes after the reboot, it started again. Only this time I had satrted doing research on the web about the problem and noticed that my links were redirecting me to other websites. I got a false error saying that Internet Explorer has stopped working. The crazy thing is that I don't usually use IE so when I first started getting the error it wasn't even open! However, I did open IE to check and see if the website redirect problem was affecting it as well, which it was, and I got the annoying error saying IE has stopped working and I clicked close the program, only it didn't close. It just kept on running like nothing had happened! Then I started getting the same error for the HP health check. At this point I was getting so many errors and Avast notifications that it was impossible to do anything so I restored my computer to a point I had set up from a couple of days before.

After that, even though everything seemed fine, I proceeded to run a variety of scans including the online scanner ESET. It found 4 Trojans and viruses and said it was able to remove them all and I ran Superantispyware which found I Trojan which it was able to remove and I thought that was that, but I was wrong. It wasn't long before all of the same stuff, minus the Avast warnings every few seconds, began again. Then something new occurred, Firefox stopped responding and wouldn't load. I tried to restart it but got an error message saying that it was already running and to either shut it down or restart my system. I then tried to stop the process via tack manager and it wouldn't stop. I mean I clicked on it and hit end process but nothing happened. So I decided to restart my computer and the button didn't work. I was able to open the start menu and click on it and it acted like it worked in the sense the start menu closed and it made a clicking sound, but nothing happened. The same thing happened with the shut down button so I did a hard reset and proceeded to open Firefox and continue researching my problem. Then it happened again only this time when I did the hard reset my computer wouldn't come on at all! No blinking cursor, no logo, nothing. The only thing that happened was the button light came on and the fans ran. I finally got it to boot by reseating the RAM, that was right before I started this thread.

It seems like things are a little better now, there are no Avast warnings and IE/HP errors seem to have backed off a bit. But I know that this will not last. I am still being redirected to other websites when I click on links and, even thought they are less, I am still getting the IE/HP errors.

Throughout all of this I have been running scans on my computer and other than the ones I mentioned, nothing is showing up. I hope that I haven't overdone it with my description of the problem but the big red banner at the top said to include as much information as possible. Plus, I am very frustrated and need some help from an expert!

Here is a list of the things I have tried/done:

Superantispyware - Which I have included. 
ESET online scan
Avast scan
Spybot search and destroy
Malwarebytes
Cleanup!
CCleaner
Combofix -This caused a weird recursive thing where my C: drive was listed 
under combofix and combofix had an icon that looked like a 
disk drive with all of my file/programs under it. When I opened 
the C: drive listed under it there would be another combofix
with a C: drive and repeated for what seemed like forever. 
That was the first time I ran it and realized that it was unable 
to work properly because I forgot to shut down Avast so I 
ran it again but it set for hours and did not finish.)
Hijackthis -Which I have included.
Advanced Systems Care
The 8 step virus/spyware/malware preliminary removal instructions from tech spot.

Here are the things that I currently use on my computer all the time:

Avast Antivirus
Zonealarm firewall
Spybot search and destroy

Here is a list of the things that I run weekly:

Advanced Systems Care
Cleanup!
Superantispyware


I think that's it except to say...Help me please!!!

Edited to add: I forgot to include my system specs.

Hewlett-Packard

HP G60 Notebook PC

AMD Athlon Dual-Core QL-64 2.19 GHz

Windows Vista Home Premium 32-bit SP2


----------



## Tech_Gal (Nov 22, 2009)

Quick update! Both my browsers keep going through spells where it wont load and I have to restart my computer. I am still unable to kill the Firefox process when this happens. 

But there is something new. I was pinging things to see if packets were getting out, and they were, when on a whim I opened my network and sharing center and was shocked to see a strange computer there. The computer was named anonymous and had never been there before. When I click on it I am told that I do not have permission to access it. My wireless network is secure so I am unsure how they gained access, not just to my signal, but to my Home Network. I was able to get rid of the intruder by changing the WPA2 key. But am very concerned about how they got in and that they may get in again. I am also wondering what, if anything, this stranger has to do with my current computer woes.


----------



## Tech_Gal (Nov 22, 2009)

Another update! My computer is completely fubar! I have uninstalled/reinstalled Firefox and that seemed to have helped with the loading issue but I haven't been able to test it much because the Avast warnings are back along with MANY other problems. Avast was unable to handle the file(s) in question because they were in use and there were so many warnings that I had no choice but to restart my computer. Upon doing this a number of bizarre things occurred:

Upon booting my computer I get an error stating that the system has detected a worm in my system - Worm.Win32.NetSky.

The Avast warnings are about a Trojan called TrojanSPM/LX.

There is a red shield at the bottom of the screen alerting me to a problem with Windows security and when I click on it I get a warning that says, "Application cannot be executed. The file is infected Please activate your antivirus software."

There is a red circle with an X through it right next to the shield that keeps opening up a comment bubble that says something along the lines of, your computer is infected and you need to use the special antispyware to prevent data loss windows will download the latest version for you.

Another warning I am being plagued with says, "Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your security software. Click OK to download official intrusion detection system (IDS software)"

I got these warnings even though I am running all of my spyware/antivirus/firewall programs. I even got the bubble warning while I was running spybot!

I ran a boot scan with spybot and it found 60 problems and was able to remove all but 6 and has asked me to reboot, which I will do momentarily. I wanted to make sure I was able to upload the logs that I have for fear that I will not be able to afterwords.

I am also unable to open many of my programs, including notebook so I amy have to post my logs right in the message.

I am including an updated hijack this log and all of the warnings from Avast. I would include a MalwareBytes log but, once again, it has been disabled. The spybot log will be in the next post because it was too long.





I know you are all volunteers and are all very busy but I hope you can help me soon before all is lost. 

Thanks in advance!!


----------



## Tech_Gal (Nov 22, 2009)

*Spybot log*

--- Search result list ---
Win32.Agent.chh: [SBI $A87D46EB] Web page (File, nothing done)
C:\Windows\System32\critical_warning.html
Properties.size=741
Properties.md5=3811E268A6D9F8AEF22990D91A644BF7
Properties.filedate=1258998502
Properties.filedatetext=2009-11-23 12:48:22

Win32.Agent.chh: [SBI $1ABA95A4] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper

Win32.Agent.chh: [SBI $1ABA95A4] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper

Win32.Agent.chh: [SBI $1ABA95A4] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper

Win32.Agent.chh: [SBI $E2C9F63A] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Win32.Agent.chh: [SBI $E2C9F63A] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Win32.Agent.chh: [SBI $E2C9F63A] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Win32.Agent.chh: [SBI $B62A234E] User settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\NoChangingWallpaper

Win32.Agent.chh: [SBI $D9574D89] User settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoActiveDesktopChanges

Win32.Agent.chh: [SBI $4024E68A] User settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetActiveDesktop

Win32.Agent.chh: [SBI $4F63ED37] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges

Win32.Agent.chh: [SBI $4F63ED37] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges

Win32.Agent.chh: [SBI $4F63ED37] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges

Win32.Agent.chh: [SBI $718DBD32] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop

Win32.Agent.chh: [SBI $718DBD32] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop

Win32.Agent.chh: [SBI $718DBD32] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop

Win32.Agent.chh: [SBI $EC4787FA] Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\8636065b-fef0-4255-b14f-54639f7900a4

Win32.Agent.chh: [SBI $EC4787FA] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\8636065b-fef0-4255-b14f-54639f7900a4

Win32.Agent.chh: [SBI $EC4787FA] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\8636065b-fef0-4255-b14f-54639f7900a4

Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

Microsoft.Windows.disableSystemRestore: [SBI $6296EC95] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools

DNSFlush.cws: [SBI $893785D8] Autorun settings (jsh87r3huiehf89esiudgd) (Registry value, nothing done)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsh87r3huiehf89esiudgd

DNSFlush.cws: [SBI $893785D8] Program file (File, nothing done)
C:\Windows\TEMP\ipgw88.exe
Properties.size=15001
Properties.md5=88F39B31A003C0E97CE1CA698EF99CE4
Properties.filedate=1258996162
Properties.filedatetext=2009-11-23 12:09:22

DNSFlush.cws: [SBI $893785D8] Autorun settings (asg984jgkfmgasi8ug98jgkfgfb) (Registry value, nothing done)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb

DNSFlush.cws: [SBI $893785D8] Program file (File, nothing done)
C:\Windows\TEMP\nvsvc32.exe
Properties.size=26628
Properties.md5=3260C1970F169247818BA81834491B53
Properties.filedate=1258996169
Properties.filedatetext=2009-11-23 12:09:28

DNSFlush.cws: [SBI $893785D8] Autorun settings (jsh87r3huiehf89esiudgd) (Registry value, nothing done)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsh87r3huiehf89esiudgd

DNSFlush.cws: [SBI $893785D8] Autorun settings (asg984jgkfmgasi8ug98jgkfgfb) (Registry value, nothing done)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb

DNSFlush.cws: [SBI $455D41DA] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\New Windows\PopupMgr

DNSFlush.cws: [SBI $455D41DA] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr

DNSFlush.cws: [SBI $455D41DA] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\New Windows\PopupMgr

DNSFlush.cws: [SBI $9C28881C] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

DNSFlush.cws: [SBI $9C28881C] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

DNSFlush.cws: [SBI $FB926B58] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt

DNSFlush.cws: [SBI $FB926B58] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt

DNSFlush.cws: [SBI $FB926B58] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt

DNSFlush.cws: [SBI $A1906895] User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden

DNSFlush.cws: [SBI $A1906895] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2927525121-1300614538-2752644078-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden

DNSFlush.cws: [SBI $A1906895] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden

Ertfor.bho: [SBI $A3AB8E35] Library (File, nothing done)
C:\Windows\System32\y4cnv.dll
Properties.size=15000
Properties.md5=158DA363B7A8ADBC04F702D08357F944
Properties.filedate=1258996161
Properties.filedatetext=2009-11-23 12:09:20

Ertfor.bho: [SBI $32D83D62] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf

Ertfor.bho: [SBI $32D83D62] User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf

Ertfor.bho: [SBI $C41D8ED7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

Opachki.ru: [SBI $DC5CFC0F] Autorun settings (calc) (Registry value, nothing done)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc

Opachki.ru: [SBI $DC5CFC0F] Program file (File, nothing done)
C:\Windows\system32\config\SYSTEM~1\ntuser.dll
Properties.size=24064
Properties.md5=96F1EC9BA27A12A2CF028E7300AF5931
Properties.filedate=1239431300
Properties.filedatetext=2009-04-11 01:28:20

Opachki.ru: [SBI $DC5CFC0F] Autorun settings (calc) (Registry value, nothing done)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc

Opachki.ru: [SBI $DC5CFC0F] Autorun settings (calc) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc

Opachki.ru: [SBI $DC5CFC0F] Program file (File, nothing done)
C:\Windows\system32\calc.dll
Properties.size=24064
Properties.md5=96F1EC9BA27A12A2CF028E7300AF5931
Properties.filedate=1239431300
Properties.filedatetext=2009-04-11 01:28:20

Opachki.ru: [SBI $DC5CFC0F] Autorun settings (calc) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc

Virtumonde.dll: [SBI $2F4068FC] Library (File, nothing done)
C:\Windows\System32\jasutudo.dll
Properties.size=61440
Properties.md5=998D1E405A77BD930E77DDC202858363
Properties.filedate=1251047366
Properties.filedatetext=2009-08-23 12:09:26

Virtumonde.dll: [SBI $BBD8783C] Library (File, nothing done)
C:\Windows\System32\mamapome.dll
Properties.size=52736
Properties.md5=28C16509FB06CFCC750494F9EA3F4E5C
Properties.filedate=1251047357
Properties.filedatetext=2009-08-23 12:09:16

Virtumonde.dll: [SBI $BBD8783C] Library (File, nothing done)
C:\Windows\System32\caonima2.exe
Properties.size=52736
Properties.md5=BD27C63F7152074D8E237EA7FA777A48
Properties.filedate=1258862888
Properties.filedatetext=2009-11-21 23:08:07

Virtumonde.dll: [SBI $BBD8783C] Library (File, nothing done)
C:\Windows\System32\fuyayeka.dll
Properties.size=52736
Properties.md5=28C16509FB06CFCC750494F9EA3F4E5C
Properties.filedate=1251047357
Properties.filedatetext=2009-08-23 12:09:16

Virtumonde.sdn: [SBI $7E48B11A] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...jowuhese.dll...

DoubleClick: Tracking cookie (Firefox: Angi (default)) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: Angi (default)) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: Angi (default)) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: Angi (default)) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-11-22 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi (*)
2009-11-10 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2009-10-13 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-11-17 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-11-10 Includes\Malware.sbi (*)
2009-11-18 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-11-17 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-11-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2009-11-10 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-11-17 Includes\Trojans.sbi (*)
2009-11-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows Vista (Build: 6002) Service Pack 2 (6.0.6002)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)

--- Startup entries list ---
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 81000
MD5: 28E9092D50AE450662EEA4719E5AA304

Located: HK_LM:Run, calc
command: rundll32.exe C:\Windows\system32\calc.dll,[email protected]
file: C:\Windows\system32\calc.dll
size: 24064
MD5: 96F1EC9BA27A12A2CF028E7300AF5931

Located: HK_LM:Run, HP Health Check Scheduler
command: c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
file: c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
size: 75008
MD5: AE37F6508716D2DD6122744C46686BEC

Located: HK_LM:Run, HP Software Update
command: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
size: 54840
MD5: 21293443961A4E2597453EE7A9347F22

Located: HK_LM:Run, hpWirelessAssistant
command: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
file: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
size: 488752
MD5: 8CB896C573FD15AE8B13180DA53E93D2

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 3A0647BDED81DBE0BCBB51D70B22C9E0

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 1049896
MD5: AE567D261D281B51BE55E53A786E8574

Located: HK_LM:Run, winupdate86.exe
command: C:\Windows\system32\winupdate86.exe
file: C:\Windows\system32\winupdate86.exe
size: 24848
MD5: 129FF235EE39433BF9FF4F1291122E22

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 981384
MD5: C331D8E6E3AB67A5A1556070E8EA6B13

Located: HK_LM:RunOnce, Spybot - Search & Destroy
command: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89

Located: HK_CU:Run, asg984jgkfmgasi8ug98jgkfgfb
where: .DEFAULT...
command: C:\Windows\TEMP\nvsvc32.exe
file: C:\Windows\TEMP\nvsvc32.exe
size: 26628
MD5: 3260C1970F169247818BA81834491B53

Located: HK_CU:Run, calc
where: .DEFAULT...
command: rundll32.exe C:\Windows\system32\config\SYSTEM~1\ntuser.dll,[email protected]
file: C:\Windows\system32\config\SYSTEM~1\ntuser.dll
size: 24064
MD5: 96F1EC9BA27A12A2CF028E7300AF5931

Located: HK_CU:Run, ctfmon
where: .DEFAULT...
command: RUNDLL32.EXE C:\Windows\TEMP\fgjk4wvb.dll,w
file: C:\Windows\TEMP\fgjk4wvb.dll
size: 61440
MD5: 60F08BFA8BD1C7F43EC3CBD3F7A41BA7

Located: HK_CU:Run, jsh87r3huiehf89esiudgd
where: .DEFAULT...
command: C:\Windows\TEMP\ipgw88.exe
file: C:\Windows\TEMP\ipgw88.exe
size: 15001
MD5: 88F39B31A003C0E97CE1CA698EF99CE4

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-2927525121-1300614538-2752644078-1000...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, asg984jgkfmgasi8ug98jgkfgfb
where: S-1-5-18...
command: C:\Windows\TEMP\nvsvc32.exe
file: C:\Windows\TEMP\nvsvc32.exe
size: 26628
MD5: 3260C1970F169247818BA81834491B53

Located: HK_CU:Run, calc
where: S-1-5-18...
command: rundll32.exe C:\Windows\system32\config\SYSTEM~1\ntuser.dll,[email protected]
file: C:\Windows\system32\config\SYSTEM~1\ntuser.dll
size: 24064
MD5: 96F1EC9BA27A12A2CF028E7300AF5931

Located: HK_CU:Run, ctfmon
where: S-1-5-18...
command: RUNDLL32.EXE C:\Windows\TEMP\fgjk4wvb.dll,w
file: C:\Windows\TEMP\fgjk4wvb.dll
size: 61440
MD5: 60F08BFA8BD1C7F43EC3CBD3F7A41BA7

Located: HK_CU:Run, jsh87r3huiehf89esiudgd
where: S-1-5-18...
command: C:\Windows\TEMP\ipgw88.exe
file: C:\Windows\TEMP\ipgw88.exe
size: 15001
MD5: 88F39B31A003C0E97CE1CA698EF99CE4

Located: WinLogon, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 548352
MD5: 482E8F6FD557D5A0DF7363F72DF145FE

It is still too long so I will post the rest in the next reply.


----------



## Tech_Gal (Nov 22, 2009)

*The Rest of the Spybot log
*

--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 2/27/2009 1:07:26 PM
Date (last access): 11/13/2009 9:12:26 AM
Date (last write): 2/27/2009 1:07:26 PM
Filesize: 75128
Attributes: archive 
MD5: 5CF6190CD875DA6B35256FEE573E7908
CRC32: 764BA81B
Version: 9.1.0.163

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: 
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: 
Date (created): 11/22/2009 4:09:24 PM
Date (last access): 11/22/2009 4:09:24 PM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive 
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: 
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre6\bin\
Long name: ssv.dll
Short name: 
Date (created): 9/24/2009 8:24:08 PM
Date (last access): 10/11/2009 4:21:56 AM
Date (last write): 10/11/2009 4:17:28 AM
Filesize: 321312
Attributes: archive 
MD5: E3D899E680DDC3A324BF7E8C38312C0D
CRC32: 243550A1
Version: 6.0.170.4

{79CEEA4E-C231-4614-9E3B-53B2A02F39B7} (Comcast Toolbar)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Comcast Toolbar
CLSID name: Comcast Toolbar
Path: C:\Program Files\comcasttb\
Long name: comcastdx.dll
Short name: COMCAS~1.DLL
 Date (created): 5/25/2009 9:06:48 AM
Date (last access): 9/26/2009 10:32:04 AM
Date (last write): 5/25/2009 9:06:48 AM
Filesize: 91608
Attributes: archive 
MD5: 649472EF6C0E1FD50F6D67BBC6C88A54
CRC32: 85FCE62F
Version: 1.0.0.9

{d2ce3e00-f94a-4740-988e-03dc2f38c34f} (Microsoft Live Search Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: 
CLSID name: Microsoft Live Search Toolbar Helper
Path: c:\Program Files\MSN\Toolbar\3.0.0541.0\
Long name: msneshellx.dll
Short name: MSNESH~1.DLL
Date (created): 8/28/2008 10:09:08 PM
Date (last access): 10/23/2008 1:54:02 AM
Date (last write): 8/28/2008 10:09:08 PM
Filesize: 86032
Attributes: archive 
MD5: C12121B120411F2C9A457AF8339AB6C6
CRC32: 0AC5FA79
Version: 3.0.541.0

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: 
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name: 
Date (created): 9/24/2009 8:24:08 PM
Date (last access): 10/11/2009 4:18:20 AM
Date (last write): 10/11/2009 4:17:30 AM
Filesize: 41760
Attributes: archive 
MD5: C9EDE29F223A27873E187D9FB6045EA6
CRC32: 5951C3E0
Version: 6.0.170.4

--- ActiveX list ---
{36299202-09EF-4ABF-ADB9-47C599DBE778} (HP Product Detection Control)
DPF name: 
CLSID name: HP Product Detection Control
Installer: C:\Windows\Downloaded Program Files\HPProdDetect.inf
Codebase: https://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
Path: C:\Windows\DOWNLO~1\
Long name: HPProdDetect.ocx
Short name: HPPROD~1.OCX
Date (created): 7/13/2009 3:01:40 PM
Date (last access): 7/13/2009 3:01:40 PM
Date (last write): 7/13/2009 3:01:40 PM
Filesize: 389536
Attributes: archive 
MD5: F45092B071634E2DEF560C28A29E61A3
CRC32: 71FAC19A
Version: 1.0.0.1

{4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control)
DPF name: 
CLSID name: Microsoft Virtual Server VMRC Advanced Control
Installer: C:\Windows\Downloaded Program Files\VMRCActiveXClient.inf
Codebase: https://lva.msllab.microsoft.com/msllabs/vmrc/VMRCActiveXClient.cab
Path: C:\Windows\Downloaded Program Files\
Long name: VMRCActiveXClient.dll
Short name: VMRCAC~1.DLL
Date (created): 4/27/2006 12:31:04 PM
Date (last access): 4/27/2006 12:31:04 PM
Date (last write): 4/27/2006 12:31:04 PM
Filesize: 529304
Attributes: archive 
MD5: ABD579EEB944DC90B2709140272BC798
 CRC32: D8655EAD
Version: 1.1.465.300

{7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)
DPF name: 
CLSID name: OnlineScanner Control
Installer: C:\Windows\Downloaded Program Files\OnlineScanner.inf
Codebase: http://download.eset.com/special/eos/OnlineScanner.cab
Path: C:\PROGRA~1\ESET\ESETON~1\
Long name: OnlineScanner.ocx
Short name: ONLINE~1.OCX
Date (created): 11/22/2009 12:31:06 AM
Date (last access): 11/22/2009 12:31:06 AM
Date (last write): 10/26/2009 3:45:44 PM
Filesize: 3356232
Attributes: archive 
MD5: B933ED3DB918479B8AB39BDD445DB37B
CRC32: 7376E693
Version: 1.0.0.6211

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer: 
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link: 
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name: 
Date (created): 9/24/2009 8:24:08 PM
Date (last access): 10/11/2073 4:18:18 AM
Date (last write): 10/11/2009 4:17:30 AM
Filesize: 100128
Attributes: archive 
MD5: 048369C957BCE15E4628FDEB65820BE8
CRC32: C8C19051
Version: 6.0.170.4

{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer: 
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name: 
Date (created): 9/24/2009 8:24:08 PM
Date (last access): 10/11/2073 4:18:18 AM
Date (last write): 10/11/2009 4:17:30 AM
Filesize: 100128
Attributes: archive 
MD5: 048369C957BCE15E4628FDEB65820BE8
CRC32: C8C19051
Version: 6.0.170.4

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer: 
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
description: 
classification: Legitimate
known filename: npjpi150_06.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_17.dll
Short name: NPJPI1~1.DLL
Date (created): 10/11/2009 2:14:36 AM
Date (last access): 10/11/2073 4:18:30 AM
Date (last write): 10/11/2009 4:17:30 AM
Filesize: 136992
Attributes: archive 
MD5: 3D58770680F268A23A8CE1F14B49AA2F
CRC32: 6091A816
Version: 6.0.170.4

--- Process list ---
PID: 1208 (1148) C:\Windows\system32\taskeng.exe
size: 169984
MD5: E5BBFC283D6F5D69B41E464676361020
PID: 2876 (1088) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 01DD1004181FD46ECDC3628228EB269D
PID: 3100 ( 720) C:\Windows\Explorer.EXE
size: 2926592
MD5: D07D4C3038F3578FFCE1C0237F2A1253
PID: 3192 (3100) C:\Windows\system32\runonce.exe
size: 38400
MD5: 9A6A653ADF28D9D69670B48F535E6B90
PID: 2280 (3192) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 2180 (1064) C:\Windows\system32\winupdate86.exe
size: 24848
MD5: 129FF235EE39433BF9FF4F1291122E22
PID: 3236 (2796) C:\Windows\system32\ctfmon.exe
size: 8704
MD5: 22BFD03DF51065A9ED8D17F8FB72296B
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 404 ( 4) smss.exe
size: 64000
PID: 520 ( 508) csrss.exe
size: 6144
PID: 572 ( 508) wininit.exe
size: 96768
PID: 580 ( 564) csrss.exe
size: 6144
PID: 620 ( 572) services.exe
size: 279552
PID: 632 ( 572) lsass.exe
size: 9728
PID: 640 ( 572) lsm.exe
size: 229888
PID: 816 ( 620) svchost.exe
size: 21504
PID: 856 ( 564) winlogon.exe
size: 314368
PID: 904 ( 620) nvvsvc.exe
size: 196608
PID: 956 ( 620) svchost.exe
size: 21504
PID: 1024 ( 620) svchost.exe
size: 21504
PID: 1088 ( 620) svchost.exe
size: 21504
PID: 1148 ( 620) svchost.exe
size: 21504
PID: 1216 (1024) audiodg.exe
size: 88576
PID: 1256 ( 620) svchost.exe
size: 21504
PID: 1300 ( 620) SLsvc.exe
size: 3408896
PID: 1388 ( 620) svchost.exe
size: 21504
PID: 1400 ( 904) rundll32.exe
size: 44544
PID: 1544 ( 620) svchost.exe
size: 21504
PID: 1624 ( 620) vsmon.exe
PID: 1764 (1088) wlanext.exe
size: 74240
PID: 1896 ( 620) aswUpdSv.exe
PID: 1920 ( 620) ashServ.exe
PID: 12 ( 620) spoolsv.exe
size: 127488
PID: 668 ( 620) svchost.exe
size: 21504
PID: 1204 (1148) taskeng.exe
size: 169984
PID: 2436 ( 620) ComcastAntiSpyService.exe
PID: 2648 ( 620) LSSrvc.exe
PID: 2760 ( 620) svchost.exe
size: 21504
PID: 2836 ( 620) BLService.exe
PID: 2880 ( 620) RichVideo.exe
PID: 2944 ( 620) svchost.exe
size: 21504
PID: 3008 ( 620) svchost.exe
size: 21504
PID: 3060 ( 620) SearchIndexer.exe
size: 441344
PID: 3136 ( 620) XAudio.exe
PID: 3228 ( 620) SDWinSec.exe
size: 1153368
MD5: 794D4B48DFB6E999537C7C3947863463
PID: 3724 ( 620) ashMaiSv.exe
PID: 3756 ( 620) ashWebSv.exe
PID: 3880 ( 620) alg.exe
size: 59392
PID: 2768 ( 620) wmpnetwk.exe

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11/23/2009 2:11:52 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://cc.ivytech.edu/cp/home/loginf
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\System32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip 
[*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip 
[*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip 
[*]

Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip 
[*]

Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip 
[*]

Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip 
[*]

Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7E4CAA21-D43C-4BC6-B3A8-6548DCBE6A2A}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7E4CAA21-D43C-4BC6-B3A8-6548DCBE6A2A}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FFD1FC1C-F874-4F56-96BF-54A45A5FA219}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FFD1FC1C-F874-4F56-96BF-54A45A5FA219}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BFD0BDA5-FAF3-4F25-AA5F-E8E937D1EB85}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BFD0BDA5-FAF3-4F25-AA5F-E8E937D1EB85}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{002D19FA-D76A-4DFF-B1D5-D25729161412}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{002D19FA-D76A-4DFF-B1D5-D25729161412}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{7E4CAA21-D43C-4BC6-B3A8-6548DCBE6A2A}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{7E4CAA21-D43C-4BC6-B3A8-6548DCBE6A2A}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FFD1FC1C-F874-4F56-96BF-54A45A5FA219}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FFD1FC1C-F874-4F56-96BF-54A45A5FA219}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: 
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:

Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: 
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS


----------



## Tech_Gal (Nov 22, 2009)

Okay, things are "better" again. For the moment anyway. I ran Superantispyware that found 30 problems and then I redownloaded/installed MalwareBytes and it found several problems. They have all been taken care of between these two programs and I have attached the logs.

Here are a couple of things I forgot to mention were occurring before:

There were sounds playing in the background, like commercials or something, even when there was no web browser open.

My firewall, ZoneAlarm, looked like it was running but would lock up when I opened it.

These are not occurring now and the alerts, which I was very careful not to click on, have stopped as well. But, I know that this is just a reprieve and it will most likely start again so I am awaiting your instruction. 

I have also included the hijackthis log that was run after I did all this.


----------



## Tech_Gal (Nov 22, 2009)

All problems have returned with a vengeance! Please, this damsel is in distress and needs help! I cannot afford to lose the data on this system. This is where I store all of my homework and the applications/software that I use at/for school. I have tried everything that I know to do to get rid of this spyware/malware/virus pest but my system is still infected and on the verge of collapse. There are many system errors and my browsers barely work. I may have to start doing the repairs to this system via the USB or ROM drives.

All that being said I know that you are all volunteers and are very busy, I am just a bit frustrated because I have never had problem I couldn't fix myself. I will be waiting for guidance. When I am contacted I will let you know all of the things I have tried since I posted last.


----------

