Proxy Server Problem!

[lakers]

OK, I've attached the log file.

[lakers]

On an unrelated note, something new has appeared in my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 15:21:33, on 23/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143894569182
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A092757D-D5F3-4396-9FD5-B7CF36EB04D8}: NameServer = 205.188.146.145
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: QMPYFZRLCZVA - Unknown owner - C:\DOCUME~1\DILANS~1\LOCALS~1\Temp\QMPYFZRLCZVA.ex e (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Should this entry be fixed?:

O23 - Service: QMPYFZRLCZVA - Unknown owner - C:\DOCUME~1\DILANS~1\LOCALS~1\Temp\QMPYFZRLCZVA.ex e (file missing)

[TurcoLoco]

On an unrelated note, something new has appeared in my HJT Log:

O23 - Service: QMPYFZRLCZVA - Unknown owner - C:\DOCUME~1\DILANS~1\LOCALS~1\Temp\QMPYFZRLCZVA.exe (file missing)

Should this entry be fixed?:

Oh hell yes, anything a so called service executable points to a 'Temp' location that is an automatic red flag! In this case, I believe the executable I sent you must have removed it where other utilities failed (probably because you were running CCleaner or ATF while system was running in Normal Mode and the executable was in use preventing removal, etc.).
After having HJT fix it, re-scan and make sure it is gone, also open Service Control Panel and check the list for that entry as well:

Start > Run > services.msc> OK

While you are in there, you could disable the startup of:
Machine Debug Manager

Also remember my long post earlier on where I listed a few services and put comments/questions next to them, you have not yet provided any feedback to that. Please do so I could advise further.

I will review your Autoruns log and get back to you. Jholland is out for several more days (on vacation). PP might jump in but he is either MIA or working on his Online Nation...

~TL

[lakers]

Oh hell yes, anything a so called service executable points to a 'Temp' location that is an automatic red flag! In this case, I believe the executable I sent you must have removed it where other utilities failed (probably because you were running CCleaner or ATF while system was running in Normal Mode and the executable was in use preventing removal, etc.).
After having HJT fix it, re-scan and make sure it is gone,

I clicked to fix it and it said that the new changes will take affect upon restart, do you want to restart? I clicked "no." That doesn't normally happen when I fix entries, is that ok? Also, it isn't present in the new log.

also open Service Control Panel and check the list for that entry as well:

The QMPYFZRLCZVA is there but it's startup type is set as "disabled"

Also, how do I make the "machine debugger" startup type set to "disabled"

[lakers]

I'm sorry TL, but I looked over your posts and I wasn't sure which questions needed answering.

[TurcoLoco]

I'm sorry TL, but I looked over your posts and I wasn't sure which questions needed answering.

WebClient --> Another service that is normally not used or needed, further more it is a security risk if not needed.
inetinfo.exe --> IIS Admin Server Helper, is it used or needed?
mdm.exe --> Machine Debug Manager needed?
sqlservr.exe --> SQL Server running, is it needed?
alg.exe --> Used for connection sharing and/or Windows Firewall, if another Firewall program is used, this should be disabled!
MpfAgent.exe & MpfTray.exe --> It appears that you have McAfee Internet Security Suite which also bundles the Firewall utility. You will have to pick which one to use,
to get rid of McAfee: START > RUN > appwiz.cpl > OK and uninstall McAfee Internet Security Suite
If you decide to use McAfee or another 3rd party firewall Internet Security utility then you will need to disable Windows Firewall.

Also, how do I make the "machine debugger" startup type set to "disabled"

To disable any of these services that you do NOT need: START > RUN > services.msc > OK
Then locate the service in question, locate the service on the list then double-click on it to open its properties window. Click the Startup dropdown box and change the Startup to 'disabled'.

~ Also and more importantly, yes your system was infected indeed (right-click and delete this entry):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
+ wininet.dll File not found: dfrgsrv.exe

Afterwards, enable displaying hidden files and folder from the Tools > Folder Options > View > Show hidden files and folders.

Then click Start > Run > cmd > OK when the Command Line window appears, type (pay attention to the spaces):

del /f /s /q C:\Windows\dfrgsrv.exe


~ Another highly suspicious, possibly malware related entry (just uncheck its box, do not delete just yet):

HKLM\System\CurrentControlSet\Services
+ SVKP SVKP driver for NT AntiCracking c:\windows\system32\svkp.sys

~ This one you will also need to delete:

+ VClone File not found: System32\DRIVERS\VClone.sys

and there is a chance there is still something lingering around.
Have you run SmitRem on this system before? If not, please download and run SmitRem and also CWShredder. I am not sure if you have already done the steps on PhilliePhan's sticky but since the others were already helping you, I'd image you have done those steps but I don't believe you have Spybot which is pretty good with removing most of the pest if updated and configured properly.

The following entries are a clear sign that McAfee Internet Security program files/services are still present on the system, if the program is not used, please remove it from Add-Remove Programs control panel, reboot then check Autoruns to see if the following still shows up, if they do please delete them:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ MPFExe McAfee Personal Firewall Tray Monitor McAfee Security c:\program files\mcafee.com\personal firewall\mpftray.exe

HKLM\System\CurrentControlSet\Services
+ MpfService McAfee Personal Firewall Service McAfee Corporation c:\program files\mcafee.com\personal firewall\mpfservice.exe

HKLM\System\CurrentControlSet\Services
+ MPFIREWL c:\windows\system32\drivers\mpfirewall.sys

[lakers]

Wow, thanks for the feeback. I think we are moving places now! Before I start getting rid of the other stuff I need to answer some of the queries :

WebClient --> Another service that is normally not used or needed, further more it is a security risk if not needed.

I have no idea what it does, it may or may not be needed, I'm not really sure.

inetinfo.exe --> IIS Admin Server Helper, is it used or needed?

Again, I don't know if it is needed or not.

mdm.exe --> Machine Debug Manager needed?

I'll turn if off now!

sqlservr.exe --> SQL Server running, is it needed?

I'm sorry to be vague but again, I have no idea if it is needed.

alg.exe --> Used for connection sharing and/or Windows Firewall, if another Firewall program is used, this should be disabled!
MpfAgent.exe & MpfTray.exe --> It appears that you have McAfee Internet Security Suite which also bundles the Firewall utility. You will have to pick which one to use,
to get rid of McAfee: START > RUN > appwiz.cpl > OK and uninstall McAfee Internet Security Suite
If you decide to use McAfee or another 3rd party firewall Internet Security utility then you will need to disable Windows Firewall.

I'll disable the Window Firewall instead!

[lakers]

~ Also and more importantly, yes your system was infected indeed (right-click and delete this entry):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
+ wininet.dll File not found: dfrgsrv.exe

Do I go to the regedit registry and do this?

~ Another highly suspicious, possibly malware related entry (just uncheck its box, do not delete just yet):

HKLM\System\CurrentControlSet\Services
+ SVKP SVKP driver for NT AntiCracking c:\windows\system32\svkp.sys

How do I go about doing this?

~ This one you will also need to delete:

Quote:
+ VClone File not found: System32\DRIVERS\VClone.sys

Shall I just locate to the System32 folder and delete that file?


I'm really sorry for asking SO many questions. It's just that I'm really unsure about things and I'm worried I'll do something wrong! I really appreciate all of your efforts!

[TurcoLoco]

Ok, for the services, follow these instructions which you will be just fine.

Change these to DISABLED:
WebClient
mdm.exe
Application Layer Gateway Service
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)

Change these to MANUAL:
inetinfo.exe (IIS Admin Server Helper)
sqlservr.exe (SQL Server)


You will do the following in Autoruns:

~ Also and more importantly, yes your system was infected indeed (right-click and delete this entry):

Quote:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
+ wininet.dll File not found: dfrgsrv.exe
Afterwards, enable displaying hidden files and folder from the Tools > Folder Options > View > Show hidden files and folders.

Then click Start > Run > cmd > OK when the Command Line window appears, type (pay attention to the spaces):

del /f /s /q C:\Windows\dfrgsrv.exe


~ Another highly suspicious, possibly malware related entry (just uncheck its box, do not delete just yet):

Quote:
HKLM\System\CurrentControlSet\Services
+ SVKP SVKP driver for NT AntiCracking c:\windows\system32\svkp.sys
~ This one you will also need to delete:


Quote:
+ VClone File not found: System32\DRIVERS\VClone.sys

^ VClone.sys appears to be missing, it is not spyware not would really have anything to do with your problem but removing it would make sense as it is an invalid driver entry that could cause other problems.

The file is a part of Elaborate Bytes VirtualCloneCD program. If you still have the program installed then it is likely that it might be corrupted but I think you have either uninstalled it or never used it and the file previously for removed somehow.


Download the tools I mentioned in my last post, then reboot in safe mode to run them and also to do all of the above steps while in Safe Mode.

Then reboot your system in normal mode to see if the problem is gone or not.


~TL

[lakers]

WebClient is: C:\WINDOWS\System32\svchost.exe

Are you sure I should disable it?

Also, I couldn't find "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"

I will follow the Autoruns directions after I get confirmation about the "svchost.exe"