confused and out of steam

sasysusie · 2007-11-05T22:43:57.000Z

Hi!!! ok i see i need to do come reading back… bet you all wondered about me… its been ugly wahhh! ok i guess i did a silly thing… this morning before i went to work i downloaded comodo… ugh!! this might be more program than i can handle… i could not come back on for advice or help because i could not get back online period… ive messed with it forever and finally i had to lower all the securities just so i could get back in here… and some of the things its asked me to allow look scary to me and very suspicious… i wrote down as much info as i could but even when it looked like something safe and i allowed it i still could not connect to the internet until i let all its securities down im now working on the Allow All setting which i realize does not do a darn thing… just wanted to touch base and now ill read all posts that came while i was gone… not sure what i should do about this firewall… i can’t have something i can handle or get anywhwere with… makes the computer no fun at all
Sasy

sasysusie · 2007-11-05T22:51:45.000Z

i read all that you guys posted and i sure hope i was not confused i had posted everything i did to the point that i downloaded this firewall >:( and it stopped all contact… but on any other issues i have not done a thing i kinda thought i was caught up… but i know i need to try to sort through this firewall but as i said it may be more than i can handle…ill wait and see what you all say next…
Thanks
Susie

DavidR · 2007-11-05T22:58:48.000Z

oldman post:200:

Thanks DavidR, it’s just sometimes the page won’t change. I’ve lost a long post because of it. Notepad and copy and paste from now on.

If something appears to be taking a little time to post, whilst the text input window is there I do the Ctrl+A, Ctrl+C, quick step so I have a copy should things go pear shaped. I don’t like using notepad, I use EditPad Lite a great little freeware program.

The problem is also you don’t get the style tabs in a text editor, but there is also http://www.pawsoft.com/?p=fass/home, which is an editor that has the BBS/Forum tags, handy when working off-line. I’m using the beta 0.9 version and no problem, the regular version is 0.8.

sasysusie · 2007-11-05T23:00:37.000Z

ugh and the problem is by coming in here with the securities down i am sure the stuff i wanted to keep out now get back in… so now what… let me give you one of the messages i recieved while i have the securities up and i was trying to login here and the internet.
IEXPLORE EXE
ip 68.190.192.35 drt
Security considerations
C:\programFiles\updates from HP\309731\program\updates from HP exe has loaded Iadhide5.dll into Iexplore.exe using a global Hook which could be used by keyloggers to steal private information
now that i let the securities down to get in here i am sure its on my puter now… the message came up alot… that same security consideration came with this too
IEXPLORE.exe ip 68.109.192.35 port dns(53)-udp

DavidR · 2007-11-05T23:14:54.000Z

sasysusie post:202:

i read all that you guys posted and i sure hope i was not confused i had posted everything i did to the point that i downloaded this firewall >:( and it stopped all contact… but on any other issues i have not done a thing i kinda thought i was caught up… but i know i need to try to sort through this firewall but as i said it may be more than i can handle…ill wait and see what you all say next…
Thanks
Susie

If you did as suggested and Fixed the entry I mentioned in HJT if it isn’t there no problem.
O4 - HKLM..\Run: [d43d865d] rundll32.exe “C:\WINDOWS\system32\saabkqbh.dll”,b

As I mentioned when you installed comodo you would likely have to watch out for ashWebSv.exe or you wouldn’t be able to connect and ashMaiSv.exe or you wouldn’t be able to collect your email.

Presumable since you are now on-line you have overcome that problem with blocking ?

Googling the file Iadhide5.dll returns many hits and it would appear to be (Part of Backweb {.com}, used for obtaining software updates) used by HP for updates, http://www.file.net/process/iadhide5.dll.html or http://www.neuber.com/taskmanager/process/iadhide5.dll.html

essexboy · 2007-11-05T23:16:24.000Z

That is part of your HP printer and it is reporting back (which is why I dislike HP products)
The easy solution is to delete it, but it won’t go quietly you will need to use OTMoveit

Snap DavidR

sasysusie · 2007-11-05T23:30:00.000Z

David

“If you did as suggested and Fixed the entry I mentioned in HJT if it isn’t there no problem.
O4 - HKLM..\Run: [d43d865d] rundll32.exe “C:\WINDOWS\system32\saabkqbh.dll”,b”
yess i did take care of that … i took care of all steps from you and old man before i downloaded the firewall… and the only reason i made it here is… that i at this moment have the firewall set to ALLOW ALL… since i could not get in anyother way… yes i did have the prompts come up which asked if i would allow or disallow them even if accepted it didn’t seem to make a difference on my getting in here… and for that matter most sounded to scary to allow… and it thats the case id never go onto the internet again… I am worried it might be more of a program than i can handle… but Im here and to be honest im not sure what we have left to do with my original problem… should we continue with the firewall on such a loose setting… would there be any easier of a program for me that maybe i could understand better? Im trying my best really I am. Please let me know what my next step should be!
tytytyty!!
Susie

Presumable since you are now on-line you have overcome that problem with blocking ?

DavidR · 2007-11-05T23:50:06.000Z

Lets put it this way, you are no worse off by allowing all than what you were living in ignorance that XPs firewall protected you ;D All firewalls that have outbound control are going to have this early learning curve as they ask about programs connecting to the internet.

By all accounts there is a learning mode which will see your activity and should see what is ‘theoretically normal usage’ unfortunately this can be as much of a hindrance as a help as it may allow something that it shouldn’t (malware trying to get out). So there is no real easy options. One possibility is there is a lower security setting that won’t pop-up so many questions only the more serious ones.

However, you will need to get into the comodo help file and find your way around it, there is a program control of sorts and that is wher you would find the avast processes that are being blocked and allow them.

There is a pdf user guide on this page, quite big 4.7MB, http://www.personalfirewall.comodo.com/support.html. That may just be the same as clicking on the comodo ? help icon.

sasysusie · 2007-11-06T00:09:08.000Z

i will work with the firewall then… ty for all the good info… im not sure where we stand on the rest of the issues… am i done with everything do we think im clean now ? and what about the matter of msn messenger… or game desire. I may not even be done yet im just not sure… but in the mean time ill try to work on the firewall and get it squared away as best I can… Ill check back here in a bit.
Thank you
susie

sasysusie · 2007-11-06T00:17:48.000Z

tyty your last post helped me alot with the fire wall… i think im understanding it a bit better or lets hope… but i have moved the control back up to custom… and i seem to be getting aroound… I guess the trick is to be able to recognize the things you do not want in. But ty for your help and at least it is in place now so if i have more to do least i have that firewall now!
Thanks
Susie and almost feeling Sasy again!!!

sasysusie · 2007-11-06T01:37:55.000Z

oldman post:193:

Yes we need a new DSS log!

i may have forget about doing this one…i did not see where i had so here it is… im slow but sure!! let me how you think I look… and is cribbage and messenger in my near future??

Deckard’s System Scanner v20071014.68
Run by HP_Owner on 2007-11-05 17:34:17
Computer is in Normal Mode.

Total Physical Memory: 504 MiB (512 MiB recommended).

– HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:27 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\keyexp\KEYEXP.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {37AA797F-4221-44D7-A0DE-E859E65A8028} - (no file)
O2 - BHO: (no name) - {5E04F07E-7FFC-45B3-A374-37607849CF88} - C:\Program Files\NetMeeting\horewodeC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\vtuvvuv.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {eb356b69-de3f-6abb-55c4-c6e6ce898e5b} - {b5e898ec-6e6c-4c55-bba6-f3ed96b653be} - C:\WINDOWS\system32\ixdbxkrc.dll (file missing)
O2 - BHO: (no name) - {B82D34FF-CF6A-4A35-8CFE-624670B7994E} - C:\WINDOWS\system32\mljjg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FCA2FF4F-FB29-46B7-BBC8-754A87CD1303} - C:\Program Files\NetMeeting\horewodeC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

DavidR · 2007-11-06T01:38:48.000Z

It might be a steep learning curve, but when you get to the top, the view and feeling are great ;D

I would have thought custom might present you with a lot of pop-ups, if there are any intermediate sensitivity/security settings, that may be better again try to find it in the help file and see what the differences are in the sensitivity.

If there is anything that comodo is asking/challenging that you are unsure about check the path is it for a program folder you are familiar, does the file name ring any bells, etc. use google to search for the file name. If you aren’t sure don’t automatically block (first make a not of the challenge, why, file name, location) nor automatically allow, check.

Sorry I have zero experience of Comodo so I don’t know the correct terms or how it functions, my firewall when it challenges it gives more than the usual yes no, it allows to block just this once or allow once Or block or allow Or set custome settings, so it is a little more complex and it isn’t free either.

Did you find the program/process control that applications get allowed or blocked and I assume that you have done so and allowed the avast processes ?

I would have though you were close to being clean but I will leave that confirmation to oldman, mauserme or essexboy.

sasysusie · 2007-11-06T01:40:50.000Z

sasysusie · 2007-11-06T01:43:48.000Z

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuvvuv - C:\WINDOWS\SYSTEM32\vtuvvuv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

–
End of file - 13024 bytes

– Files created between 2007-10-05 and 2007-11-05 -----------------------------

2007-11-05 16:14:44 0 d-------- C:\WINDOWS\LastGood
2007-11-05 16:01:27 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Comodo
2007-11-05 08:40:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-05 08:29:46 0 d-------- C:\Program Files\Comodo
2007-11-05 04:56:26 325216 --a------ C:\WINDOWS\system32\mljjg.dll
2007-11-04 12:09:59 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 12:09:59 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-04 12:09:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-04 12:09:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-04 06:52:15 36352 --a------ C:\WINDOWS\system32\vtuvvuv.dll
2007-11-02 10:00:03 0 d-------- C:\Program Files\Trend Micro
2007-11-01 21:40:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-01 21:39:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-01 21:39:11 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2007-11-01 21:36:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-28 11:13:33 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-10-27 08:16:29 5029888 --a------ C:\Documents and Settings\HP_Owner\ntuser.dat
2007-10-22 06:01:37 0 d-------- C:\Temp
2007-10-19 17:28:35 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2007-10-19 17:28:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-19 17:26:38 0 d-------- C:\Program Files\Yahoo!

– Find3M Report ---------------------------------------------------------------

2007-11-05 16:02:47 0 d-------- C:\Program Files\Pure Networks
2007-11-04 21:07:03 0 d-a------ C:\Program Files\Common Files
2007-11-04 12:10:49 6238 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-03 21:37:48 0 d-------- C:\Program Files\Java
2007-11-02 17:13:09 3645 --a------ C:\WINDOWS\viassary-hp.reg
2007-11-02 10:31:22 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\WeatherBug
2007-10-26 15:36:21 0 --a------ C:\Documents and Settings\HP_Owner\Application Data\WGC_Client Preferences
2007-10-22 06:10:26 0 d-------- C:\Program Files\Windows Live Safety Center
2007-09-24 18:44:55 0 d-------- C:\Program Files\America Online 9.0
2007-09-23 20:43:28 0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-12 22:16:11 0 d-------- C:\Program Files\Panicware

sasysusie · 2007-11-06T01:44:26.000Z

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{37AA797F-4221-44D7-A0DE-E859E65A8028}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{5E04F07E-7FFC-45B3-A374-37607849CF88}]
C:\Program Files\NetMeeting\horewodeC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{634BBAB7-3F60-4426-944F-A62B9007F67F}]
11/04/2007 06:52 AM 36352 --a------ C:\WINDOWS\system32\vtuvvuv.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b5e898ec-6e6c-4c55-bba6-f3ed96b653be}]
C:\WINDOWS\system32\ixdbxkrc.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{B82D34FF-CF6A-4A35-8CFE-624670B7994E}]
11/05/2007 04:56 AM 325216 --a------ C:\WINDOWS\system32\mljjg.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{FCA2FF4F-FB29-46B7-BBC8-754A87CD1303}]
C:\Program Files\NetMeeting\horewodeC:\WINDOWS\system32\g2\caws83122.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [05/07/1998 03:04 PM]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [11/02/2004 02:59 PM]
“AGRSMMSG”=“AGRSMMSG.exe” [06/29/2004 04:06 PM C:\WINDOWS\AGRSMMSG.exe]
“HPHUPD06”=“c:\Program Files\HP{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe” [06/07/2004 05:53 PM]
“HPHmon06”=“C:\WINDOWS\system32\hphmon06.exe” [06/07/2004 05:42 PM]
“KBD”=“C:\HP\KBD\KBD.EXE” [02/11/2003 06:02 PM]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [02/15/2005 09:09 AM]
“Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [04/14/2004 07:43 PM]
“AlcxMonitor”=“ALCXMNTR.EXE” [09/07/2004 07:47 PM C:\WINDOWS\ALCXMNTR.EXE]
“PS2”=“C:\WINDOWS\system32\ps2.exe” [10/25/2004 08:17 PM]
“LSBWatcher”=“c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe” [10/14/2004 08:54 PM]
“Reminder”=“C:\Windows\Creator\Remind_XP.exe” [12/14/2004 01:23 AM]
“Share-to-Web Namespace Daemon”=“C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [07/03/2001 09:11 AM]
“AOLDialer”=“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe” [10/23/2006 04:50 AM]
“AOL Spyware Protection”=“C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe” [10/18/2004 03:42 PM]
“LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [07/19/2005 04:32 PM]
“LogitechVideoRepair”=“C:\Program Files\Logitech\Video\ISStart.exe” [06/08/2005 02:24 PM]
“LogitechVideoTray”=“C:\Program Files\Logitech\Video\LogiTray.exe” [06/08/2005 02:14 PM]
“UserFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -u”
“HostManager”=“C:\Program Files\Common Files\AOL\1158686903\ee\AOLSoftware.exe” [09/25/2006 04:52 PM]
“ProfileWatcher”=“C:\Program Files\ProfileWatcher\profilewatcher.exe”
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [03/14/2007 06:05 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [04/27/2007 08:41 AM]
“NapsterShell”=“C:\Program Files\Napster\napster.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 02:06 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 12:11 AM]
“COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\CPF.exe” [11/05/2007 08:29 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 10:00 AM]
“Weather”=“C:\Program Files\AWS\WeatherBug\Weather.exe” [01/06/2006 09:57 AM]
“LogitechSoftwareUpdate”=“C:\Program Files\Logitech\Video\ManifestEngine.exe” [06/08/2005 01:44 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [06/09/2007 05:53 PM]
“Acme.PCHButton”=“C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe” [02/15/2005 09:25 AM]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [08/30/2007 04:43 PM]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [06/21/2007 01:06 PM]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup
Keyboard Express 2000.lnk - C:\Program Files\keyexp\KEYEXP.EXE [6/2/2006 6:35:10 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/17/2006 7:00:32 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/5/2004 2:28:24 AM]
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [4/30/2002 4:26:44 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2/15/2005 9:23:13 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
“{634BBAB7-3F60-4426-944F-A62B9007F67F}”= C:\WINDOWS\system32\vtuvvuv.dll [11/04/2007 06:52 AM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvuv]
vtuvvuv.dll 11/04/2007 06:52 AM 36352 C:\WINDOWS\system32\vtuvvuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

– End of Deckard’s System Scanner: finished at 2007-11-05 17:35:17 ------------

sasysusie · 2007-11-06T01:48:05.000Z

Hi there… and i can see even myself that this is not a good sign… i am seeing things on this log i did not see earlier… ones you wanted me to get rid of before on the hijackthis but they were not there and now here they are… where did they come from… geesh… i have a thought but ill wait to hear from you to explain one thing that may have happened… let me know thanks… and maybe we better check that registry again… i kinda had a boo boo this afternoon and i wonder if thats the reason… sorry! if your tired of me and all this please just lt me know…
thank you
Susie

DavidR · 2007-11-06T02:31:02.000Z

Well I think you know all the O2 entries with the exception of the ones quoted below are suspect.

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

This one is also is highly suspect.
O20 - Winlogon Notify: vtuvvuv - C:\WINDOWS\SYSTEM32\vtuvvuv.dll

I’m at a loss as to how you are getting reinfected so quickly.

Are you using the AOL browser or IE6 ?
Personally I would suggest you try using Firefox, 1) it doesn’t have BHOs 2) nor has it got activeX and these are commonly exploited in IE.

Hopefully, oldman, essexboy or mauserme can get back on the case, it is after 2:30 a.m. and my bed is calling.

sasysusie · 2007-11-06T03:20:38.000Z

I am nourished and have a glass and wine and i think i have to come clean about a very dumb thing i did that might explain the change in my report sd quickly… I would rather not admit to this but here goes… i was having trouble with the new fire wall and i was frustrated and not thinking clearly (should have had the wine at this point) i removed something from add and remove programs that after i did it i paniced that it was actually something i really needed and without thinking AT ALL, i went to system restore and restored the whole darn computer to a point at about 5:30 or so this am!!! i did it and almost as fast as i did it it hit me like a brick what i had done… i know i had done things i was told to do after tht point soo in another panic i went back to restore and used the undo restore button to try to bring it back to where we had it after all i did this am… coould thatbe why all this came up again… the only thing is earlier today i didn’t ahve any of the 02’s on the log at all and now there they are… If you feel at this point im a hopeless cause i will understand… i just lost my head and its all be rather stressful… david mention firefox…? what is that and what would I use it as and instead of what… as far as tool bars how would i know what using and if i should get rid of them i will. im so sorry all… let me know what you want me to do… and againi will understand if you want to throw in the towell!
sooo Sorry
Susie

oldman960 · 2007-11-06T03:38:49.000Z

Hi sasie, want to tell me about the boo-boo?

Some good news though, the regfix is still holding.

Okay, I think that might explain it. Almost wore out my poor old eyes looking for what may be bringing some of this back.

So let’s go again 8)

In hjt (please close everything except hjt before you hit the fix button)

[b]
O2 - BHO: (no name) - {5E04F07E-7FFC-45B3-A374-37607849CF88} - C:\Program Files\NetMeeting\horewodeC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)

O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: {eb356b69-de3f-6abb-55c4-c6e6ce898e5b} - {b5e898ec-6e6c-4c55-bba6-f3ed96b653be} - C:\WINDOWS\system32\ixdbxkrc.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FCA2FF4F-FB29-46B7-BBC8-754A87CD1303} - C:\Program Files\NetMeeting\horewodeC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\vtuvvuv.dll
O2 - BHO: (no name) - {B82D34FF-CF6A-4A35-8CFE-624670B7994E} - C:\WINDOWS\system32\mljjg.dll
O20 - Winlogon Notify: vtuvvuv - C:\WINDOWS\SYSTEM32\vtuvvuv.dll[/b]

And before you do anything else kill these guys with OTMOVEIT

C:\WINDOWS\system32\vtuvvuv.dll
C:\WINDOWS\system32\mljjg.dll

Then post a new DSS log

This will give a better look.

sasysusie · 2007-11-06T03:52:59.000Z

was i supose to kill before i did the hijack?? because i didn’t but i can right now if was suspose to moveit asap… but you won’t beleive this log… the items we are looking for are not on it just as it was not on it before… is that totally crazy… ill send this log but i have nothing to fix… and i am on my in to kill the 2 files in moveit… let me know now what?? and i am so worried with this firewall… it asks me allow things all the time to even open this window… and i have to tell you not everything seems like i should be be allowing but if i don’t then i don’t get in here… anyway… let me know what you think…
thanks
not so sasy anymore!

Announcements