1 reply to this topic

[dkoontz]

This is actually a log from my friend's computer... she did a virus scan with a free program I'd never heard of called Avast!, and it found some malicious files but could not get rid of them. She also has a free edition of Ad-Aware that couldn't seem to do anything. She's able to access AIM and send and receive files through it (that's how I sent her the HijackThis program), but whenever she tries to access the internet, no pages will load. It just shows a blank screen no matter what URL she types in.
I hope someone can help me help my friend :/ So please respond if you can find anything in this:


Logfile of HijackThis v1.99.1
Scan saved at 4:53:24 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Common Files\AOL\1135091541\ee\AOLSoftware.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program

Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program

Files\SiteAdvisor\4608\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001"

/M "Stylus CX3800"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135091541

\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [msclean] C:\WINDOWS\msclean.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IEVALUES] C:\hiden3.exe
O4 - HKLM\..\Run: [syshost.exe] C:\prox.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security

Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security

Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security

Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security

Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [HPWRTOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 460

series\Toolbox\HPWRTBX.exe "-i"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1

\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MECA] C:\Program Files\Meca\\Meca.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security

Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Search -

http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program

Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program

Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} -

C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program

Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} -

C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation

Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -

http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program

Files\SiteAdvisor\4608\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-

Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4

\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4

\ashWebSv.exe" /service (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program

Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program

Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter

High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program

Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608

\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe

[AndyManchesta]

Hi Dkoontz, Welcome to the forum

Quote

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing

It looks like they may have removed some of PureSight's Internet Content Filter which might be the reason the connection isnt working correctly


http://www.puresight...upport_kb.shtml

Quote

Why is all Internet access disabled?

1. Check at the Access Time Table tab and see if the Internet Access is disabled for the current time.
2. Check the Web Filters tab and see if the policy for the logged in user is Block All Sites Except.
3. Open a browser window and go to http://www.google.com , if the page is redirected to Deleted configuration, Deleted files and follow instruction on page.

Quote

I've deleted some files from the PureSight directory, and my Internet is blocked

Please go to the link:

- PureSight PC 3.1 -
http://www2.puresigh.../static/1.shtml

- PureSight PC version 2.6.4 -
http://www.puresight...ad_blocked.html

Follow the instructions on-line.

If they still have PureSight Internet Content Filter then its worth reinstalling it to fix the connection, if the program isnt still on the pc then they should goto start > run > type

cmd

Press OK then on the cmd screen type or copy/paste

netsh winsock reset

Then press enter, wait for it to confirm thats its repaired the winsock key then type exit and press Enter to close the cmd screen and restart the PC.

How to determine and recover from Winsock2 corruption


Next Run HijackThis and choose Do A System Scan then place a check next to these entries

O4 - HKLM\..\Run: [msclean] C:\WINDOWS\msclean.exe
O4 - HKLM\..\Run: [IEVALUES] C:\hiden3.exe
O4 - HKLM\..\Run: [syshost.exe] C:\prox.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Goto the Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove SpywareBot if its listed, it used to be on the rogue programs list for attempting to trick novice users into thinking they were downloading the well known Spybot Search & Destroy program and they also used the name Search & Destroy on their webpages so its likely to cause more problems than its capable of solving. If they did want to install the genuine Spybot S&D then that can be downloaded from here

http://www.safer-net...rors/index.html


If they get the Internet access repaired with the earlier command then ask them to download AVG and run a full scan then post back the log

Download AVG Anti-Spyware

• Load AVG and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
  
• Click on the Scanner tab at the top and then click on Complete System Scan
  
• AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right.
  
• Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Please then post back the AVG log and a new HijackThis log but turn word wrap off first before posting the logs as it makes it easier to read (Open notepad (Start > Run > Type Notepad and press OK) and under the *Format* at the top, please uncheck wordwrap)

Thanks

Andy