smitfraud trojan

**jokerbob** · April 27th, 2008, 06:36 PM

Sorry, my last post didn't show up when I was trying to see the website, so I reposted someting similar, please disregard and I'll act on what you posted as a response and repost.

Thanks

**Broni** · April 27th, 2008, 07:00 PM

Please, go back to my previous post, and answer my questions.

**jokerbob** · April 27th, 2008, 07:06 PM

OK, I deleted those 2 registry items and rebooted, here are the answers and the newest HJT log.

Firewall - it's off, but both the on and off options are greyed out and there's a banner across the top saying "For your security, some settings are controlled by group policy" so I assume that's something my commpany has set up?

Safe mode - I do hit F8 until I get the list of options, then I arrow to "Safe mode" and hit enter, then I get the prompt to press alt-ctrl-delete to log on. I do that and get the user name/password prompt, and I enter both, that's when I get the error message.

Hidden files - Yes, I did check the "show hidden files" box, and more files did appear, but I didn't see any of those 3 files you mentioned.

Spybot - unfortunately I didn't allow them, anything to do with registry changes worried me so I denied them. Do I need to go back over your last post and redo this?

IE - I found a roundabout way, I open "my computer" and can enter a website from there to be able to post. If I just try to launch IE, I get that error message. Oddly enough, if I go into "my computer" and then to a website, anything I click on that opens a new page opens it in IE.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:30 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Documents and Settings\qurja1\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Graco Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5DF4E179-1574-41FA-95BC-5DB5797509CA} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E6BE4D59-51BA-4E3C-86EC-BB858BD5B0DC} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockots64.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.PC7835] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [advap32] C:\WINDOWS\TEMP\3323.tmp/r
O4 - HKLM\..\RunOnce: [SpybotDeletingA2964] command /c del "C:\WINDOWS\stcloader.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9082] cmd /c del "C:\WINDOWS\stcloader.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Utrn] "C:\DOCUME~1\qurja1\MYDOCU~1\CROSOF~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB73] command /c del "C:\WINDOWS\stcloader.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5154] cmd /c del "C:\WINDOWS\stcloader.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\Software\..\Telephony: DomainName = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msp.graco.com
O20 - Winlogon Notify: hgGvSIxY - C:\WINDOWS\
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\SsoWindows.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Secure Services Client - Cisco Systems - c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe

--
End of file - 10998 bytes

**Broni** · April 27th, 2008, 08:21 PM

I don't know what's going on here.
HJT was almost clean, and now it's back to where it was at the very beginning.
You sure, you posted current HJT log?

**jokerbob** · April 28th, 2008, 10:23 AM

Pretty sure, whjenever I create a new one I save it with the default name so it replaces the old one. I did run Malwarebytes and Superantispyware again, they still find a couple things but nowhere near as many as they used to. Here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:51 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\notes\NLNOTES.EXE
C:\notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\qurja1\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Graco Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O2 - BHO: (no name) - {5DF4E179-1574-41FA-95BC-5DB5797509CA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E6BE4D59-51BA-4E3C-86EC-BB858BD5B0DC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.PC7835] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Utrn] "C:\DOCUME~1\qurja1\MYDOCU~1\CROSOF~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\Software\..\Telephony: DomainName = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msp.graco.com
O20 - Winlogon Notify: hgGvSIxY - C:\WINDOWS\
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\SsoWindows.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Secure Services Client - Cisco Systems - c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe

--
End of file - 8757 bytes

**jokerbob** · April 28th, 2008, 01:04 PM

I tried to fix the IE issue by installing IE 7, but once I did that I still couldn't get to a website plus whenever I tried my work-around of opening up My Computer and using that to get to a website, it tried to us IE anyway so I wasn't able to get online at all. I uninstalled IE 7, here's the latest HJT log after that. Not sure if it makes a difference but I figured it'd be best to post the latest and greatest.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:59 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Documents and Settings\qurja1\Desktop\HiJackThis.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Graco Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O2 - BHO: (no name) - {5DF4E179-1574-41FA-95BC-5DB5797509CA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E6BE4D59-51BA-4E3C-86EC-BB858BD5B0DC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.PC7835] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Utrn] "C:\DOCUME~1\qurja1\MYDOCU~1\CROSOF~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\Software\..\Telephony: DomainName = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msp.graco.com
O20 - Winlogon Notify: hgGvSIxY - C:\WINDOWS\
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\SsoWindows.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Secure Services Client - Cisco Systems - c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe

--
End of file - 8854 bytes

**Broni** · April 28th, 2008, 08:12 PM

This is better...

Open HJT, and checkmark following entries:
- O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
- O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
They're almost indentical, so make sure, they're both checked.
Click "Fix checked" button.

Go to Windows Explorer, and delete"
spools.exe file from C:\WINDOWS\system32
Let me know, if you found the file, and if it let you to delete.
Don't restart computer, yet.

**Broni** · April 28th, 2008, 08:15 PM

BTW, what type of keyboard are you using, wireless, USB, or PS/2?

**jokerbob** · April 28th, 2008, 10:06 PM

I made the HJT changes, and as a sidenote, IE is now working, although I do still get the "Cannot find file:///c:/windows/homepage.html. Make sure the path or internet address is correct" error message before it starts. Earlier it wouldn't go to a website, now it does after I get that message.

The computer is a laptop, so the keyboard is just the laptop keyboard.

I did try to find that file, made sure that hidden files were being shown, but there's no spools.exe file. There is a spoolsv.exe, but that's as close as I can find to the one you mentioned.

Here's the latest HJT log after I made the changes you suggested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:57 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SSU.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Documents and Settings\qurja1\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Graco Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O2 - BHO: (no name) - {5DF4E179-1574-41FA-95BC-5DB5797509CA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E6BE4D59-51BA-4E3C-86EC-BB858BD5B0DC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.PC7835] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Utrn] "C:\DOCUME~1\qurja1\MYDOCU~1\CROSOF~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\Software\..\Telephony: DomainName = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msp.graco.com
O20 - Winlogon Notify: hgGvSIxY - C:\WINDOWS\
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\SsoWindows.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Secure Services Client - Cisco Systems - c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe

--
End of file - 8791 bytes

**Broni** · April 28th, 2008, 10:12 PM

It looks pretty good...

Open HJT again, and checkmark:
- O2 - BHO: (no name) - {5DF4E179-1574-41FA-95BC-5DB5797509CA} - (no file)
- O2 - BHO: (no name) - {E6BE4D59-51BA-4E3C-86EC-BB858BD5B0DC} - (no file)
Click Fix checked button.

Restart computer. Give me fresh HJT log.

As for IE, change your home page to "blank", restart IE, and change your home page to whatever you want.

**jokerbob** · April 28th, 2008, 10:33 PM

Here's the new HJT log. As for IE, my company has an internal website with all kinds of information, forms, profiles, etc, that was the home page, so I'm guessing I just need to get the file its looking for and put it where it belongs. At least it works now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:15 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RCSERV.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\qurja1\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Graco Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN.PC7835] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Utrn] "C:\DOCUME~1\qurja1\MYDOCU~1\CROSOF~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\Software\..\Telephony: DomainName = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msp.graco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = msp.graco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msp.graco.com
O20 - Winlogon Notify: hgGvSIxY - C:\WINDOWS\
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\SsoWindows.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Secure Services Client - Cisco Systems - c:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINDOWS\RCSERV.EXE
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe

--
End of file - 8587 bytes

**Broni** · April 28th, 2008, 10:45 PM

The log looks good.
Before we proceed with the last step...any other problems?

**jokerbob** · April 28th, 2008, 10:52 PM

I don't think so, everything seems to be working back to normal if I can just get the homepage issue resolved at work. Would it pay to rescan with Malwarebytes and/or Superantisoyware?

**Broni** · April 28th, 2008, 11:17 PM

No.
We'll return to home page issue, but first....

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

Post back, when done.

**jokerbob** · April 29th, 2008, 09:24 AM

OK, I did everything on your list, and right after I installed ThreatFire, I got a warning saying "An application has performed an action that is potentially malicious"

risk: high
Name: LCFD.EXE
Path: C:\PROGRAM FILES\TIVOLI\LCF\BIN\W32-IX86\MRT

Tivoli is something that starts up automatically as part of my work's systems, so I'm guessing it's probably OK, but I figured I'd ask before I allow it.

Also, for some reason today IE doesn't work again, very confusing. I get the same home page error, but last night I just clicked on OK and then I could navigate to websites, this morning nothing loads again.

Thread: smitfraud trojan

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Posting Permissions