Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGuard [RESOLVED]


  • This topic is locked This topic is locked

#1
rafter

rafter

    Member

  • Member
  • PipPip
  • 16 posts
Here's my story, thus far -

A couple of days ago Psguard popups seemed to suddenly take over my computer. I was able to find this forum and start to try to get rid of it. I downloaded and ran CleanUp. I already had Ad Aware - I updated it and ran it. I downloaded and ran CWShredder. I downloaded, updated, and ran Spybot, and also I think I ran the DSO Exploit thing, but I'm not clear how that differs from the Spybot. At any rate, I did run Spybot and got rid of some things. I downloaded and ran Ewido. I did the online Housecall.

I should note here that I normally use Netscape 7, although I sometimes switch to MS IE when things don't work. I suspect that switching to MS IE was what originally downloaded the malware. Housecall got weird when I tried it from Netscape and finally I got message that it only works with IE. So I switched to that and ran the scan. Housecall had me download something during the Netscape mess, and now I wonder if it was more malware or the like.

Resuming the sequence of events - I downloaded and installed AVG. I created their "rescue diskettes", which ran to six diskettes. I had Windows SP1 already, but I downloaded SP1a and installed it. I rebooted, but Psguard was still there, after all this. I ran some more scans from all these programs to see if anything much had changed. At some point I read on a forum about how a process in the taskmanager could be killed to stop the popups - sorry, I don't remember which - and that seemed to work. During this period of just trying to figure out whether I was still really infected, I found that I couldn't access my ISP anymore. The network connection dialer was messed up. I tried to make a new one, and found that the "Make a new connection" Wizard wouldn't allow me to access the type of connection I needed - it was greyed out. My connection is through a USB DSL modem, and I need to login each time I connect. (Note from rafter: since I first posted this message, I've found a tip on the Microsoft support website on how to fix this problem by doing something in the registry - but I'm not going to try to do anything until I hear I get a response to this message, since at this point I'm worried about messing things up further by connecting the infected computer to the internet at all (further note - after sleeping on it, I couldn't resist and tried fixing the problem using the info from Microsoft. Didn't work, although I did manage to delete a reference to a file "dialer.exe" in the registry; don't know if that was a legit file or a malware file, but it's gone for now. So, still no connection to the net on the infected computer.)

Somewhere during these increasingly panicky scans and attempts to fix things, I managed to inadvertantly delete the winint.dll file, which had shown up as infected. Somehow I got around six infected copies of it into a quarentine, and thinking they were all just copies, I deleted them. That seems to have deleted the original file, too. I rebooted and a bunch of things gave error messages based on not finding that file. I tried using the rescue diskettes from the AVG program to reboot, but that didn't function, always giving a "Cannot init CORE. Corrupted AVI7.AVG?" After trying to somehow get the file off the original XP installation CD and failing (is there a way to do this? (Note from rafter - since I first posted this message, I've found out that running sfc is the way to do this (Further note - some more research seems to tell me that I can just use a "copy" command after going into repair mode from the installation CD), I decided to try to reinstall XP to restore that file. So I started the install, and after some bumps got to a point at which the installation would halt with this error msg box titled "unregmp2.exe - Entry Point Not Found" and the message in the box said "The procedure entry point GetIUMS could not be located in the dynamic link library MSDART.DLL" (Further note - I did yet another reinstall after the one described above, since it was part of the instructions from Microsoft on how to get the connection wizard working agina, and the same unregmp2/exe error happened again. Also, since I did the reinstalls of Windows XP, I'm guessing that it reverted back to pre-service-pack 1 or 1a state(?). Since I can't connect to the internet at this point with the infected computer, I can't do the service pack download. I'm sure hoping we can disinfect the computer before getting its connection to the internet back.)

After several attempts at restarting the install, I finally figured out that it was not going to go past that point. As a last resort, I figured I would try reconnecting an old computer running Windows 98 to see if I could use it to get online. Amazingly, it worked (I had forgotten that I'd first used the USB DSL modem with it). I did a Google search on "unregmp2.exe" and quickly found the solution, which was that when the error occured, hit Shift + F10 to get a command prompt, start the Taskmanager, and get rid of the unregmp2 process. So, that worked, and the install completed, with a presumeably fresh copy of the wininit.dll file. I was still not able to create a working network connection through the wizard, which still greyed out the choice I need. I tried to run the winsock fix app linked in the instructions I'm following here, but got an error saying it wasn't a valid 32-bit app.

This morning I've redone CleanUp, Ad Aware (which found evidence of an Alexa-like infection and PSGuard), CWShredder (which showed no problem), Spybot (which also showed no problem), and ewido (which found some things and I'm pasting its report below the HijackThis report). I ran Hijack This, which started with two error messages, and then ran normally (I think), and the log is pasted below.

I place my computer (and probably my sanity) into your hands.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:32:02 AM, on 11/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\CU-SEE~1\Amigo.exe
C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\WHITEP~1\CUCore.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\CU-SEE~1\CONTAC~1.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\fixer files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dialup.pacbell.net/help.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://dialup.pacbel....net/help.html"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hpA99E.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WP Companion] C:\PROGRA~1\CU-SEE~1\Amigo.exe -minimize
O4 - HKLM\..\Run: [WP Call Notification] C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



Report from ewido


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:17:19 AM, 11/2/2005
+ Report-Checksum: E263DDE3

+ Scan result:

HKLM\SOFTWARE\PSGuard.com -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Spyware.PSGuard : Cleaned with backup


::Report End

Edited by rafter, 05 November 2005 - 01:01 AM.

  • 0

Advertisements


#2
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Welcome to GeeksToGo :tazz:

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please make sure the version of Ewido you have is the most current, if not: Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#3
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks much for responding.

I followed the instructions as well as I could - hope I didn't mess up. I couldn't run the Panda scan because the infected computer can't connect to the internet at this point. I'm connecting to GTG with an old spare computer I have, and then transferring files and logs back and forth to and from the infected machine by diskette. Luckily, I had downloaded Ad Aware and Ewido before losing the connection, and they are updated as of Nov. 1.

When booting into safe mode, I'm presented with the choice of administrator or my own profile (just so you know, I'm the only user, though). I chose my profile, figuring I was in it when I got the malware. Let me know if that was the right thing to do. I couldn't really tell when smitRem was finished since there wasn't a message or anything, but the report was there, so I figure it ran ok. Ewido didn't find anything, so there's no report from it. I rebooted into Normal mode before running Hijack This to generate the log, and I didn't remove anything using it. Was that right? Finally, I'm pasting the Ad Aware quarentine log, in case it might be of any interest.

Thanks again.

---------------------------


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 11/06/2005
The current time is: 19:31:11.88

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key present!



Running LTDFix/PSGuard.com fix!



PSGuard.com key was successfully removed! :tazz:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Center.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

msvol.tlb
ncompat.tlb
nvctrl.exe


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)


------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:57:49 PM, on 11/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\CU-SEE~1\Amigo.exe
C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
C:\PROGRA~1\COMMON~1\WHITEP~1\CUCore.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\CU-SEE~1\CONTAC~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\fixer files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dialup.pacbell.net/help.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://dialup.pacbel....net/help.html"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WP Companion] C:\PROGRA~1\CU-SEE~1\Amigo.exe -minimize
O4 - HKLM\..\Run: [WP Call Notification] C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

-------------------------------------

Ad Aware quarentine

ArchiveData(auto-quarantine- 2005-11-06 19-49-31.bckp)
Referencefile : SE1R72 26.10.2005
======================================================

ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
obj[1]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuText"
obj[2]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar"
obj[3]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script"
obj[4]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid"
obj[5]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon"
obj[6]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon"
obj[7]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText"
obj[8]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[9]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[10]=RegValue : S-1-5-21-1060284298-492894223-839522115-1004\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
  • 0

#4
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
what's preventing that computer from connecting to the internet?
  • 0

#5
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The connection was DSL via a USB modem, and although the modem seems to still make a connection to the physical network, the logon sequence to the ISP stopped functioning at some point while I was running the procedures suggested here to try before posting a Hijack This log.

While trying to get it to work again, I wiped out the desktop icon I had set up for the logon, but it wasn't doing anything, at any rate - nothing happened when I clicked it. When I try to use the "Make New Connection" wizard from the control panel, the choice of connection type that I need to use, which is something like "Broadband connection, with ID and password required to sign on to ISP", appeared grayed out so I can't select it. There are three possible choices in that dialog, which comes right after making the choice to set up a connection manually. I need the middle one, but both it and the first choice are grayed out, leaving only the "Always on" connection.

I tried using the WinsockXPfix.exe file a few days ago to try to get things working, but got an error saying it wasn't a valid 32-bit program.

I also tried using a couple of methods from the Microsoft support website to fix it, a registry edit method and also doing an inplace reinstall of XP, but neither worked.
  • 0

#6
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#7
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I don't know how to do the service pack update without a connection to the internet. Any ideas?

I actually had SP 1 on the computer when it got infected. When I read the instructions here on what to do before posting a log, the connection was still working and I did the SP 1a update. However, when I ran the XP install in place to try to fix the internet connection, it looks like it reverted XP back to it original state, before any service packs were downloaded. The file that starts the SP1a update process is still on the computer, so if we could get the connection to work, I could run it immediately and hope it finished before the infection did anything to interrupt. Wishful thinking, probably.
  • 0

#8
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
is it possible to do a system restore to the point before the connection was removed?
  • 0

#9
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Trying to start the system restore gives an error message with this title " rstrui.exe - Entry Point Not Found" and this body "The procedure point RemoteAssistancePrepareSystemRestore could not be located in the dynamic link library WINSTA.dll."
  • 0

#10
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
After trying the restore that didn't work, I tried another thing that I found on the MS website, which was to manually start the Telephony services and the Remote Access Connection Manager service if they were stopped. They both were stopped, so I started the Telephony service by right clicking "My Computer", then going into Manage>Services>Telephony. But when I tried to do the same with the Remote Access connection Manager, I got an error that said "Access is Denied". So I tried going in through the Administrator login in safe mode, but got a message saying that service can't be started in safe mode.

So maybe the malware has messed with the permissions for the internet connection and that's the reason the wizard doesn't work??
  • 0

Advertisements


#11
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
okay, what I'd like you to do is start Hijackthis from the command prompt

start > run > cmd

start C:\fixer files\HijackThis.exe /ihatewhitelists

and post the log THAT generates
  • 0

#12
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I'm not sure what is going on, but there's a problem with posting the log. I've been trying for about an hour. It looks like I can only post very short messages, not whole logs. I'm guessing it has something to do with the work the site admin is doing on the GTG server. I'll try again in a while.
  • 0

#13
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here's the new log.

Logfile of HijackThis v1.99.1
Scan saved at 2:15:22 PM, on 11/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\CU-SEE~1\Amigo.exe
C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
C:\PROGRA~1\COMMON~1\WHITEP~1\CUCore.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\CU-SEE~1\CONTAC~1.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\cmd.exe
C:\fixer files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dialup.pacbell.net/help.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://dialup.pacbel....net/help.html"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
O1 - Hosts: # Copyright © 1993-1999 Microsoft Corp.
O1 - Hosts: #
O1 - Hosts: # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
O1 - Hosts: #
O1 - Hosts: # This file contains the mappings of IP addresses to host names. Each
O1 - Hosts: # entry should be kept on an individual line. The IP address should
O1 - Hosts: # be placed in the first column followed by the corresponding host name.
O1 - Hosts: # The IP address and the host name should be separated by at least one
O1 - Hosts: # space.
O1 - Hosts: #
O1 - Hosts: # Additionally, comments (such as these) may be inserted on individual
O1 - Hosts: # lines or following the machine name denoted by a '#' symbol.
O1 - Hosts: #
O1 - Hosts: # For example:
O1 - Hosts: #
O1 - Hosts: # 102.54.94.97 rhino.acme.com # source server
O1 - Hosts: # 38.25.63.10 x.acme.com # x client host
O1 - Hosts: 127.0.0.1 localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WP Companion] C:\PROGRA~1\CU-SEE~1\Amigo.exe -minimize
O4 - HKLM\..\Run: [WP Call Notification] C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll
O23 - Service: Alerter - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Indexing Service (cisvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - Microsoft Corporation - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\System32\imapi.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Messenger - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\System32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\System32\msiexec.exe
O23 - Service: Network DDE (NetDDE) - Microsoft Corporation - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Microsoft Corporation - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\System32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\System32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\System32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\System32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card Helper (SCardDrv) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Microsoft Corporation - C:\WINDOWS\System32\wdfmgr.exe
O23 - Service: Upload Manager (uploadmgr) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Portable Media Serial Number (WmdmPmSp) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
  • 0

#14
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
at any point here did you try uninstalling and reinstalling the driver for your modem?

also, whats the make and model of your modem

Edited by Avohir, 08 November 2005 - 12:01 AM.

  • 0

#15
rafter

rafter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
No, I haven't done anything with the modem driver. The modem is an Efficient Networks SpeedStream 4060.

Edited by rafter, 08 November 2005 - 12:12 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP