View Full Version : Smitfraud-C.Toolbar888 is horrid
Robert88
2007-05-11, 08:11
Computer started running very slowly and the browser started getting hijacked.
I ran anti-spyware and anti-virus programs, and may have deleted too much. Sometimes when I reboot an error message comes up something like: ‘implements the NT service that starts the server’.
Recently, I ran the online E Trust Antivirus Web Scanner. I attempted to save the log of 11 infected files. They were all dll files in windows\system32\, with infections of vundo or chisyne. I have a printed list if you need names.
Then I ran spybot in safe mode, and fixed all problems but Smitfraud-C.Toolbar888.
Thanks in advance.
Here is the HJT log (only Scan and Save Log button worked):
Logfile of HijackThis v1.99.1
Scan saved at 9:02:56 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/fav%20061106.htm
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\rtvpcvvt.dll",realset
O4 - HKCU\..\Run: [917782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917782.cpl
O4 - HKCU\..\Run: [65774] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65774.cpl
O4 - HKCU\..\Run: [65746] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65746.cpl
O4 - HKCU\..\Run: [131280] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131280.cpl
O4 - HKCU\..\Run: [65780] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65780.cpl
O4 - HKCU\..\Run: [65782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65782.cpl
O4 - HKCU\..\Run: [65784] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65784.cpl
O4 - HKCU\..\Run: [65806] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65806.cpl
O4 - HKCU\..\Run: [65738] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65738.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65788] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65788.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [131284] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131284.cpl
O4 - HKCU\..\Run: [327892] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\327892.cpl
O4 - HKCU\..\Run: [65794] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65794.cpl
O4 - HKCU\..\Run: [196882] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196882.cpl
O4 - HKCU\..\Run: [65786] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65786.cpl
O4 - HKCU\..\Run: [131472] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131472.cpl
O4 - HKCU\..\Run: [65768] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65768.cpl
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.providentcu.org
O15 - Trusted Zone: billpay.pscufs.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EF22C8-81B0-4631-8DA2-BEFC9739943E}: NameServer = 72.164.173.199,69.60.160.196
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi Robert88
Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
Robert88
2007-05-13, 09:07
Thanks for your reply. Here is the requested file.
Logfile of HijackThis v1.99.1
Scan saved at 11:01:01 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/fav%20061106.htm
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\rtvpcvvt.dll",realset
O4 - HKCU\..\Run: [917782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917782.cpl
O4 - HKCU\..\Run: [65774] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65774.cpl
O4 - HKCU\..\Run: [65746] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65746.cpl
O4 - HKCU\..\Run: [131280] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131280.cpl
O4 - HKCU\..\Run: [65780] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65780.cpl
O4 - HKCU\..\Run: [65782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65782.cpl
O4 - HKCU\..\Run: [65784] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65784.cpl
O4 - HKCU\..\Run: [65806] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65806.cpl
O4 - HKCU\..\Run: [65738] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65738.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65788] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65788.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [131284] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131284.cpl
O4 - HKCU\..\Run: [327892] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\327892.cpl
O4 - HKCU\..\Run: [65794] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65794.cpl
O4 - HKCU\..\Run: [196882] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196882.cpl
O4 - HKCU\..\Run: [65786] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65786.cpl
O4 - HKCU\..\Run: [131472] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131472.cpl
O4 - HKCU\..\Run: [65768] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65768.cpl
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.providentcu.org
O15 - Trusted Zone: billpay.pscufs.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EF22C8-81B0-4631-8DA2-BEFC9739943E}: NameServer = 72.164.173.199,69.60.160.196
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi
Rename C:\Program Files\HijackThis\HijackThis.exe <--- this file to
C:\Program Files\HijackThis\scanner.exe <---- this and post a fresh HijackThis log, please :)
Robert88
2007-05-13, 19:44
I hope this is what you are asking for. Here is a log, run by the exe file now called scanner.
Logfile of HijackThis v1.99.1
Scan saved at 9:39:41 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/fav%20061106.htm
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\system32\nnnkkkj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {AF954BC0-6BE8-4F62-9ED0-8FF5394DFB47} - C:\WINDOWS\system32\pmnnk.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\mlxkishx.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\rtvpcvvt.dll",realset
O4 - HKCU\..\Run: [917782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917782.cpl
O4 - HKCU\..\Run: [65774] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65774.cpl
O4 - HKCU\..\Run: [65746] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65746.cpl
O4 - HKCU\..\Run: [131280] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131280.cpl
O4 - HKCU\..\Run: [65780] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65780.cpl
O4 - HKCU\..\Run: [65782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65782.cpl
O4 - HKCU\..\Run: [65784] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65784.cpl
O4 - HKCU\..\Run: [65806] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65806.cpl
O4 - HKCU\..\Run: [65738] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65738.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65788] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65788.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [131284] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131284.cpl
O4 - HKCU\..\Run: [327892] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\327892.cpl
O4 - HKCU\..\Run: [65794] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65794.cpl
O4 - HKCU\..\Run: [196882] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196882.cpl
O4 - HKCU\..\Run: [65786] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65786.cpl
O4 - HKCU\..\Run: [131472] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131472.cpl
O4 - HKCU\..\Run: [65768] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65768.cpl
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.providentcu.org
O15 - Trusted Zone: billpay.pscufs.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EF22C8-81B0-4631-8DA2-BEFC9739943E}: NameServer = 72.164.173.199,69.60.160.196
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: nnnkkkj - C:\WINDOWS\SYSTEM32\nnnkkkj.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Robert88
2007-05-14, 00:24
Thanks - here is the Vundo fix and Hijack this logs
VundoFix V6.3.21
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 1:42:46 PM 5/13/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebawtu.dll
C:\WINDOWS\system32\gtitcmsa.dll
C:\WINDOWS\system32\gtrcfhid.dll
C:\WINDOWS\system32\jkkkjhf.dll
C:\WINDOWS\system32\kffsyjpc.dll
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\lnfidvjo.dll
C:\WINDOWS\system32\nhywffei.dll
C:\WINDOWS\system32\nimammdn.dll
C:\WINDOWS\system32\nnnkkkj.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\yrpadrgq.dll
C:\WINDOWS\system32\yutvrjwi.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebawtu.dll
C:\WINDOWS\system32\gebawtu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gtitcmsa.dll
C:\WINDOWS\system32\gtitcmsa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gtrcfhid.dll
C:\WINDOWS\system32\gtrcfhid.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkkjhf.dll
C:\WINDOWS\system32\jkkkjhf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kffsyjpc.dll
C:\WINDOWS\system32\kffsyjpc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\knnmp.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\lnfidvjo.dll
C:\WINDOWS\system32\lnfidvjo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nhywffei.dll
C:\WINDOWS\system32\nhywffei.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nimammdn.dll
C:\WINDOWS\system32\nimammdn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnkkkj.dll
C:\WINDOWS\system32\nnnkkkj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yutvrjwi.dll
C:\WINDOWS\system32\yutvrjwi.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 2:20:54 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COPERN~1\DESKTO~1.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/fav%20061106.htm
O2 - BHO: (no name) - {4EAA31AA-B316-4B81-932C-B4CAC29228C8} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\mlxkishx.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\rtvpcvvt.dll",realset
O4 - HKCU\..\Run: [917782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917782.cpl
O4 - HKCU\..\Run: [65774] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65774.cpl
O4 - HKCU\..\Run: [65746] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65746.cpl
O4 - HKCU\..\Run: [131280] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131280.cpl
O4 - HKCU\..\Run: [65780] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65780.cpl
O4 - HKCU\..\Run: [65782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65782.cpl
O4 - HKCU\..\Run: [65784] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65784.cpl
O4 - HKCU\..\Run: [65806] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65806.cpl
O4 - HKCU\..\Run: [65738] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65738.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65788] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65788.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [131284] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131284.cpl
O4 - HKCU\..\Run: [327892] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\327892.cpl
O4 - HKCU\..\Run: [65794] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65794.cpl
O4 - HKCU\..\Run: [196882] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196882.cpl
O4 - HKCU\..\Run: [65786] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65786.cpl
O4 - HKCU\..\Run: [131472] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131472.cpl
O4 - HKCU\..\Run: [65768] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65768.cpl
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.providentcu.org
O15 - Trusted Zone: billpay.pscufs.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EF22C8-81B0-4631-8DA2-BEFC9739943E}: NameServer = 72.164.173.199,69.60.160.196
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {4EAA31AA-B316-4B81-932C-B4CAC29228C8} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\mlxkishx.dll
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\rtvpcvvt.dll",realset
O4 - Startup: PowerReg Scheduler V3.exe
Close all windows including browser and press fix checked.
Reboot
Delete if present:
C:\WINDOWS\system32\mlxkishx.dll
C:\WINDOWS\system32\rtvpcvvt.dll
Empty Recycle Bin
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\WINDOWS\917782.cpl
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html
Post:
- a fresh HijackThis log
- jotti results
Robert88
2007-05-14, 18:37
I followed all the steps, but could not complete the last step, though I found a time when jotti was not busy. I verified that hidden files could be seen, by opening c:\windows, and clicking tools > folder options, going to view tab, and verifying: display contents of system folder is checked, radio button is on 'show hidden files and folders' and hide protected system files is unchecked.
I could not find c:\windows\917782.cpl on my system.
I also checked for the file name with Copernic desktop search and found none.
Here is the hijack this log if useful.
Logfile of HijackThis v1.99.1
Scan saved at 8:29:20 AM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\COPERN~1\DESKTO~1.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/fav%20061106.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [917782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917782.cpl
O4 - HKCU\..\Run: [65774] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65774.cpl
O4 - HKCU\..\Run: [65746] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65746.cpl
O4 - HKCU\..\Run: [131280] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131280.cpl
O4 - HKCU\..\Run: [65780] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65780.cpl
O4 - HKCU\..\Run: [65782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65782.cpl
O4 - HKCU\..\Run: [65784] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65784.cpl
O4 - HKCU\..\Run: [65806] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65806.cpl
O4 - HKCU\..\Run: [65738] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65738.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65788] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65788.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [131284] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131284.cpl
O4 - HKCU\..\Run: [327892] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\327892.cpl
O4 - HKCU\..\Run: [65794] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65794.cpl
O4 - HKCU\..\Run: [196882] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196882.cpl
O4 - HKCU\..\Run: [65786] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65786.cpl
O4 - HKCU\..\Run: [131472] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131472.cpl
O4 - HKCU\..\Run: [65768] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65768.cpl
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O4 - Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.providentcu.org
O15 - Trusted Zone: billpay.pscufs.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EF22C8-81B0-4631-8DA2-BEFC9739943E}: NameServer = 72.164.173.199,69.60.160.196
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi
Well that's really strange.
Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
Robert88
2007-05-14, 21:22
the forum said this was too long, so I will try to break it in pieces. Here is #1
WinPFind3 logfile created on: 5/14/2007 11:10:04 AM
WinPFind3U by OldTimer - Version 1.0.36 Folder = C:\Documents and Settings\Robert James\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
255.30 Mb Total Physical Memory | 65.61 Mb Available Physical Memory | 25.70% Memory free
489.87 Mb Paging File | 256.11 Mb Available in Paging File | 52.28% Paging File free
Paging file location(s): C:\pagefile.sys 256 256;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 15.72 Gb Free Space | 42.20% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: ROBERT-HAQ13I2G
Current User Name: Robert James
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Distillr\AcroTray.exe -> Adobe Systems Inc. [Ver = 7.0.7.2006011200 | Size = 483328 bytes | Modified Date = 1/12/2006 9:52:32 PM | Attr = ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 8:42:48 AM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 9:04:38 AM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 8:42:40 AM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 8:41:28 AM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 8:29:56 AM | Attr = ]
desktopsearchservice.exe -> %ProgramFiles%\Copernic Desktop Search 2\DesktopSearchService.exe -> Copernic Technologies Inc. [Ver = 2.0.2.2526 | Size = 1546544 bytes | Modified Date = 12/8/2006 8:58:06 AM | Attr = ]
evntsvc.exe -> %CommonProgramFiles%\Real\Update_OB\evntsvc.exe -> RealNetworks, Inc. [Ver = 0.1.0.880 | Size = 146432 bytes | Modified Date = 5/16/2002 12:12:46 AM | Attr = ]
fxredir.exe -> %System32%\FxRedir.exe -> Canon Inc [Ver = 4.00 | Size = 65536 bytes | Modified Date = 8/21/2001 6:49:14 PM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 1/26/2007 11:07:44 AM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe -> [Ver = | Size = 32881 bytes | Modified Date = 11/19/2003 5:48:14 PM | Attr = ]
kpf4gui.exe -> %ProgramFiles%\Sunbelt Software\Personal Firewall\kpf4gui.exe -> Sunbelt Software [Ver = 4.5.916.0 | Size = 1967664 bytes | Modified Date = 4/26/2007 10:21:28 AM | Attr = ]
kpf4gui.exe -> %ProgramFiles%\Sunbelt Software\Personal Firewall\kpf4gui.exe -> Sunbelt Software [Ver = 4.5.916.0 | Size = 1967664 bytes | Modified Date = 4/26/2007 10:21:28 AM | Attr = ]
kpf4ss.exe -> %ProgramFiles%\Sunbelt Software\Personal Firewall\kpf4ss.exe -> Sunbelt Software [Ver = 4.5.916.0 | Size = 1234480 bytes | Modified Date = 4/26/2007 10:21:28 AM | Attr = ]
monitr32.exe -> %ProgramFiles%\Canon\MultiPASS4\monitr32.exe -> Canon Inc [Ver = 4.00 | Size = 311296 bytes | Modified Date = 8/21/2001 6:52:34 PM | Attr = ]
mpservic.exe -> %ProgramFiles%\Canon\MultiPASS4\mpservic.exe -> Canon Inc [Ver = 4.00 | Size = 49152 bytes | Modified Date = 8/21/2001 6:42:48 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.13.10.2311 | Size = 57344 bytes | Modified Date = 11/29/2001 2:28:00 AM | Attr = ]
psnotes.exe -> %ProgramFiles%\3M\PSNotes\PSNOTES.EXE -> 3M [Ver = 1.5.320.232 | Size = 1527296 bytes | Modified Date = 8/28/1996 11:50:56 AM | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1 | Size = 282624 bytes | Modified Date = 6/8/2006 4:40:32 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.36.0 | Size = 319488 bytes | Modified Date = 5/8/2007 7:48:10 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.65.010 | Size = 69632 bytes | Modified Date = 5/16/2005 10:14:52 PM | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 8:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 8:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 9:04:38 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 8:41:28 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:50 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 1/26/2007 11:07:42 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 1:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
(MpService) MpService [Win32_Own | Auto | Running] -> %ProgramFiles%\Canon\MultiPASS4\mpservic.exe -> Canon Inc [Ver = 4.00 | Size = 49152 bytes | Modified Date = 8/21/2001 6:42:48 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.13.10.2311 | Size = 57344 bytes | Modified Date = 11/29/2001 2:28:00 AM | Attr = ]
(SPF4) Sunbelt Personal Firewall 4 [Win32_Own | Auto | Running] -> %ProgramFiles%\Sunbelt Software\Personal Firewall\kpf4ss.exe -> Sunbelt Software [Ver = 4.5.916.0 | Size = 1234480 bytes | Modified Date = 4/26/2007 10:21:28 AM | Attr = ]
(SymWSC) SymWMI Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Security Center\SymWSC.exe -> Symantec Corporation [Ver = 2005.1.2.20 | Size = 316544 bytes | Modified Date = 11/2/2004 5:59:50 PM | Attr = ]
Robert88
2007-05-14, 21:26
WinPFind results #2
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-> -> File not found
Acrobat Assistant 7.0 -> %ProgramFiles%\Adobe\Acrobat 7.0\Distillr\AcroTray.exe -> Adobe Systems Inc. [Ver = 7.0.7.2006011200 | Size = 483328 bytes | Modified Date = 1/12/2006 9:52:32 PM | Attr = ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 8:42:48 AM | Attr = ]
fxredir -> %System32%\FxRedir.exe -> Canon Inc [Ver = 4.00 | Size = 65536 bytes | Modified Date = 8/21/2001 6:49:14 PM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
monitr32 -> %ProgramFiles%\Canon\MultiPASS4\monitr32.exe -> Canon Inc [Ver = 4.00 | Size = 311296 bytes | Modified Date = 8/21/2001 6:52:34 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1 | Size = 282624 bytes | Modified Date = 6/8/2006 4:40:32 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe -> [Ver = | Size = 32881 bytes | Modified Date = 11/19/2003 5:48:14 PM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\evntsvc.exe -> RealNetworks, Inc. [Ver = 0.1.0.880 | Size = 146432 bytes | Modified Date = 5/16/2002 12:12:46 AM | Attr = ]
UserFaultCheck -> -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Copernic Desktop Search 2 -> %ProgramFiles%\Copernic Desktop Search 2\DesktopSearchService.exe -> Copernic Technologies Inc. [Ver = 2.0.2.2526 | Size = 1546544 bytes | Modified Date = 12/8/2006 8:58:06 AM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 1/26/2007 11:07:44 AM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Acrobat Speed Launcher.lnk -> %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe -> [Ver = | Size = 25214 bytes | Modified Date = 5/6/2007 12:40:28 PM | Attr = R ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 11:05:26 PM | Attr = ]
< User Startup > -> C:\Documents and Settings\Robert James\Start Menu\Programs\Startup
%UserStartup%\Post-it® Software Notes.lnk -> %ProgramFiles%\3M\PSNotes\PSNOTES.EXE -> 3M [Ver = 1.5.320.232 | Size = 1527296 bytes | Modified Date = 8/28/1996 11:50:56 AM | Attr = ]
%UserStartup%\Real-time Monitor.lnk -> -> File not found
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
NVDESK32.DLL -> %System32%\nvdesk32.dll -> NVIDIA Corporation [Ver = 6.13.10.2311 | Size = 102400 bytes | Modified Date = 11/29/2001 2:28:00 AM | Attr = ]
< SSODL [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
[HKLM] -> Reg Data - Key not found [CDBurn] -> File not found
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{3F9D0C61-737D-44D1-BD80-91AF857061CC} [HKLM] -> Reg Data - Key not found [] -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
< Software Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Conferencing\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\\EnableAdminTSRemote -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\PortRange\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\PortRange\\Enabled -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\ExecutableTypes -> ADE;ADP;BAS;BAT;CHM;CMD;COM;CPL;CRT;EXE;HLP;HTA;INF;INS;ISP;LNK;MDB;MDE;MSC;MSI;MSP;MST;OCX;PCD;PIF;REG;SCR;SHS;URL;VB;WSC; ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\TransparentEnabled -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\DefaultLevel -> 262144 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\AuthenticodeEnabled -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\PolicyScope -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\Description -> Stop the download of this file ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\FriendlyName -> Mdac11.cab ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\SaferFlags -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\HashAlg -> 32771 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\ItemData -> ^«0O•zI‰j
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\LastModified -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\ItemSize -> ; ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\Description -> Stop the download of this file ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\FriendlyName -> mdac20.cab ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\SaferFlags -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\HashAlg -> 32771 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\ItemData -> g°Ô‹4:?Ó¼éÜdgó” ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\LastModified -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\ItemSize -> ; ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\Description -> Stop the download of this file ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\FriendlyName -> mdac20_a.cab ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\SaferFlags -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\HashAlg -> 32771 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\ItemData -> 2xÜþøÈ“ÜŠ°Ý„} ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\LastModified -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\ItemSize -> –; ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\Description -> Stop the download of this file ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\FriendlyName -> _msadc10.cab ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\SaferFlags -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\HashAlg -> 32771 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\ItemData -> ½š*ÛBëØV%Mø/g ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\LastModified -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\ItemSize -> å; ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\Description -> Stop the download of this file ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\FriendlyName -> msadc11.cab ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\SaferFlags -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\HashAlg -> 32771 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\ItemData -> 8k_„ìöiÓk•j"À€ ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\LastModified -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\ItemSize -> r; ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\Description -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\SaferFlags -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\ItemData -> %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\LastModified -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services\ -> ->
< Software Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\policies\
HKEY_CURRENT_USER\Software\Policies\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\ -> ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> file:///C:/My%20Documents/fav%20061106.htm ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
aol.com [ - ] -> ->
free_aol.com [ - ] -> ->
office_microsoft.com [http] -> ->
accountmanager_providentcu.org [https] -> ->
estatement_providentcu.org [https] -> ->
www_providentcu.org -> ->
billpay_pscufs.com -> ->
< BHO's > ->
Robert88
2007-05-14, 21:31
WinPFind #3
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 2:04:00 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar5.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr = ]
{968631B6-4729-440D-9BF4-251F5593EC9A} [HKLM] -> %ProgramFiles%\Copernic Desktop Search 2\DesktopSearchBand2526.dll [Copernic Desktop Search 2] -> Copernic Technologies Inc. [Ver = 2.0.2.2526 | Size = 1040176 bytes | Modified Date = 12/8/2006 8:58:22 AM | Attr = ]
{9C3FCA1F-99E3-48F2-A7F4-DD3931B2F99A} [HKLM] -> %ProgramFiles%\Copernic Desktop Search 2\DesktopSearchBand2526.dll [Copernic Desktop Search 2] -> Copernic Technologies Inc. [Ver = 2.0.2.2526 | Size = 1040176 bytes | Modified Date = 12/8/2006 8:58:22 AM | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar5.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr = ]
{968631B6-4729-440D-9BF4-251F5593EC9A} [HKLM] -> %ProgramFiles%\Copernic Desktop Search 2\DesktopSearchBand2526.dll [Copernic Desktop Search 2] -> Copernic Technologies Inc. [Ver = 2.0.2.2526 | Size = 1040176 bytes | Modified Date = 12/8/2006 8:58:22 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar5.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr = ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar5.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr = ]
WebBrowser\\{968631B6-4729-440D-9BF4-251F5593EC9A} [HKLM] -> %ProgramFiles%\Copernic Desktop Search 2\DesktopSearchBand2526.dll [Copernic Desktop Search 2] -> Copernic Technologies Inc. [Ver = 2.0.2.2526 | Size = 1040176 bytes | Modified Date = 12/8/2006 8:58:22 AM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
< User Agent Post Platform [HKLM] > ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Q312461 -> ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{D1EF22C8-81B0-4631-8DA2-BEFC9739943E} -> 72.164.173.199,69.60.160.196 (Intel(R) PRO/100 VE Network Connection) ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
LSC-Help -> 0 = My Computer (Not a Default Protocol) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
skype4com -> %CommonProgramFiles%\Skype\Skype4COM.dll -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 1/12/2007 1:50:48 PM | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{00000075-0000-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB ->
{02BCC737-B171-4746-94C9-0D8A0B2C0089} -> Microsoft Office Template and Media Control - CodeBase = http://office.microsoft.com/templates/ieawsdc.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
{215B8138-A3CF-44C5-803F-8226143CFC0A} -> Trend Micro ActiveX Scan Agent 6.6 - CodeBase = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab ->
{29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} -> - CodeBase = http://fdl.msn.com/public/chat/msnchat41.cab ->
{33564D57-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab ->
{6CB5E471-C305-11D3-99A8-000086395495} -> - CodeBase = http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab ->
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} -> WScanCtl Class - CodeBase = http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37293.4701736111 ->
{A4639D2F-774E-11D3-A490-00C04F6843FB} -> IEAnimBehaviorFactory Class - CodeBase = http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab ->
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -> Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553510000} -> - CodeBase = http://active.macromedia.com/flash2/cabs/swflash.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->
Robert88
2007-05-14, 21:33
WinPFind #4: let me know if the pasting job did not work for you.
[Files/Folders - Created Within 30 days]
AntiSpyware -> %SystemDrive%\AntiSpyware -> [Folder | Created Date = 5/9/2007 10:59:11 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 5/13/2007 12:42:46 PM | Attr = ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 5/9/2007 9:42:07 PM | Attr = H ]
$NtUninstallKB931768$ -> %SystemRoot%\$NtUninstallKB931768$ -> [Folder | Created Date = 5/9/2007 9:42:34 PM | Attr = H ]
W03UNINS.INI -> %SystemRoot%\W03UNINS.INI -> [Ver = | Size = 47 bytes | Created Date = 5/6/2007 8:21:58 AM | Attr = ]
W04UNINS.INI -> %SystemRoot%\W04UNINS.INI -> [Ver = | Size = 47 bytes | Created Date = 5/6/2007 8:23:19 AM | Attr = ]
W05UNINS.INI -> %SystemRoot%\W05UNINS.INI -> [Ver = | Size = 47 bytes | Created Date = 5/6/2007 8:25:05 AM | Attr = ]
actskin4.ocx -> %System32%\actskin4.ocx -> [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 5/2/2007 7:21:24 PM | Attr = ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Created Date = 5/2/2007 7:21:24 PM | Attr = ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 95872 bytes | Created Date = 5/2/2007 7:21:45 PM | Attr = ]
cbkaaekq.ini -> %System32%\cbkaaekq.ini -> [Ver = | Size = 1467852 bytes | Created Date = 5/4/2007 12:24:36 PM | Attr = HS]
iermgdov.ini -> %System32%\iermgdov.ini -> [Ver = | Size = 1450321 bytes | Created Date = 5/4/2007 9:37:34 PM | Attr = HS]
jeaxjirj.ini -> %System32%\jeaxjirj.ini -> [Ver = | Size = 1484 bytes | Created Date = 5/4/2007 9:27:51 PM | Attr = HS]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 0 bytes | Created Date = 5/2/2007 7:15:23 PM | Attr = ]
nqstv.ini -> %System32%\nqstv.ini -> [Ver = | Size = 353 bytes | Created Date = 4/22/2007 9:42:17 PM | Attr = HS]
pkcnybqs.dll -> %System32%\pkcnybqs.dll -> [Ver = | Size = 49204 bytes | Created Date = 1/1/1601 8:00:00 AM | Attr = ]
rvoiwwdf.ini -> %System32%\rvoiwwdf.ini -> [Ver = | Size = 1183 bytes | Created Date = 5/1/2007 4:21:35 PM | Attr = HS]
tvvcpvtr.ini -> %System32%\tvvcpvtr.ini -> [Ver = | Size = 1435451 bytes | Created Date = 5/10/2007 7:35:20 PM | Attr = HS]
vodgmrei.dll -> %System32%\vodgmrei.dll -> [Ver = | Size = 132660 bytes | Created Date = 5/4/2007 9:37:31 PM | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 26888 bytes | Created Date = 5/2/2007 7:21:51 PM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 85952 bytes | Created Date = 5/2/2007 7:21:34 PM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 94552 bytes | Created Date = 5/2/2007 7:21:34 PM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 23416 bytes | Created Date = 5/2/2007 7:21:53 PM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 43176 bytes | Created Date = 5/2/2007 7:21:52 PM | Attr = ]
fwdrv.err -> %System32%\drivers\fwdrv.err -> [Ver = | Size = 165 bytes | Created Date = 5/10/2007 5:37:39 PM | Attr = ]
fwdrv.sys -> %System32%\drivers\fwdrv.sys -> Sunbelt Software [Ver = 4.3.182.0 | Size = 302000 bytes | Created Date = 4/26/2007 9:21:30 AM | Attr = ]
khips.sys -> %System32%\drivers\khips.sys -> Sunbelt Software [Ver = 4.3.182.0 | Size = 72624 bytes | Created Date = 4/26/2007 9:21:34 AM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Created Date = 5/5/2007 9:49:15 AM | Attr = ]
[Files/Folders - Modified Within 30 days]
AntiSpyware -> %SystemDrive%\AntiSpyware -> [Folder | Modified Date = 5/9/2007 11:59:40 PM | Attr = ]
CFSLib -> %SystemDrive%\CFSLib -> [Folder | Modified Date = 5/6/2007 12:57:04 PM | Attr = ]
Download -> %SystemDrive%\Download -> [Folder | Modified Date = 5/9/2007 12:00:04 PM | Attr = ]
Lacerte -> %SystemDrive%\Lacerte -> [Folder | Modified Date = 5/6/2007 12:56:42 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 5/9/2007 8:38:36 PM | Attr = ]
QUICKENW -> %SystemDrive%\QUICKENW -> [Folder | Modified Date = 5/6/2007 12:53:30 PM | Attr = ]
Rob -> %SystemDrive%\Rob -> [Folder | Modified Date = 5/3/2007 10:36:26 PM | Attr = ]
Sue -> %SystemDrive%\Sue -> [Folder | Modified Date = 5/8/2007 3:43:40 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 5/13/2007 2:06:30 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 5/9/2007 10:49:26 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 5/9/2007 10:42:28 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/9/2007 10:42:10 PM | Attr = H ]
$NtUninstallKB931768$ -> %SystemRoot%\$NtUninstallKB931768$ -> [Folder | Modified Date = 5/9/2007 10:42:40 PM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 5/14/2007 11:02:06 AM | Attr = S]
CFSREG.INI -> %SystemRoot%\CFSREG.INI -> [Ver = | Size = 1265 bytes | Modified Date = 5/6/2007 9:29:06 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 5/9/2007 10:40:18 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 5/10/2007 12:16:38 AM | Attr = S]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 5/6/2007 9:30:24 AM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 5/4/2007 10:53:04 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 5/9/2007 10:42:26 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 5/9/2007 10:44:26 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 5/9/2007 9:35:48 PM | Attr = HS]
lacerte.ini -> %SystemRoot%\lacerte.ini -> [Ver = | Size = 40 bytes | Modified Date = 5/6/2007 9:18:00 AM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 833 bytes | Modified Date = 5/2/2007 7:46:38 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 5/14/2007 11:09:44 AM | Attr = ]
psdewin.ini -> %SystemRoot%\psdewin.ini -> [Ver = | Size = 74 bytes | Modified Date = 5/8/2007 3:13:58 PM | Attr = ]
psdxport.ini -> %SystemRoot%\psdxport.ini -> [Ver = | Size = 4676 bytes | Modified Date = 5/8/2007 3:13:58 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 4/23/2007 3:20:26 PM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 4/22/2007 10:32:24 PM | Attr = ]
ShellNew -> %SystemRoot%\ShellNew -> [Folder | Modified Date = 5/2/2007 7:35:00 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 5/14/2007 11:10:28 AM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 5/14/2007 11:03:44 AM | Attr = ]
W03Tax.INI -> %SystemRoot%\W03Tax.INI -> [Ver = | Size = 492 bytes | Modified Date = 5/6/2007 9:21:56 AM | Attr = ]
W03UNINS.INI -> %SystemRoot%\W03UNINS.INI -> [Ver = | Size = 47 bytes | Modified Date = 5/6/2007 9:22:00 AM | Attr = ]
W03UPDAT.INI -> %SystemRoot%\W03UPDAT.INI -> [Ver = | Size = 47 bytes | Modified Date = 5/6/2007 9:21:58 AM | Attr = ]
W04Tax.INI -> %SystemRoot%\W04Tax.INI -> [Ver = | Size = 1547 bytes | Modified Date = 5/6/2007 9:23:14 AM | Attr = ]
W04UNINS.INI -> %SystemRoot%\W04UNINS.INI -> [Ver = | Size = 47 bytes | Modified Date = 5/6/2007 9:23:20 AM | Attr = ]
W04UPDAT.INI -> %SystemRoot%\W04UPDAT.INI -> [Ver = | Size = 47 bytes | Modified Date = 5/6/2007 9:23:16 AM | Attr = ]
W05Tax.ini -> %SystemRoot%\W05Tax.ini -> [Ver = | Size = 4011 bytes | Modified Date = 5/6/2007 9:25:04 AM | Attr = ]
W05UNINS.INI -> %SystemRoot%\W05UNINS.INI -> [Ver = | Size = 47 bytes | Modified Date = 5/6/2007 9:25:06 AM | Attr = ]
w05updat.INI -> %SystemRoot%\w05updat.INI -> [Ver = | Size = 447 bytes | Modified Date = 5/6/2007 9:25:10 AM | Attr = ]
W06Tax.ini -> %SystemRoot%\W06Tax.ini -> [Ver = | Size = 6235 bytes | Modified Date = 5/6/2007 9:16:26 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 640 bytes | Modified Date = 5/2/2007 7:36:10 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 5/9/2007 8:38:42 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 5/14/2007 11:02:16 AM | Attr = H ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [Ver = | Size = 378 bytes | Modified Date = 5/14/2007 9:54:16 AM | Attr = ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 8:46:10 AM | Attr = ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 95872 bytes | Modified Date = 4/30/2007 8:35:28 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 5/9/2007 10:44:28 PM | Attr = ]
cbkaaekq.ini -> %System32%\cbkaaekq.ini -> [Ver = | Size = 1467852 bytes | Modified Date = 5/4/2007 10:26:46 PM | Attr = HS]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 5/2/2007 8:21:52 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 5/9/2007 10:43:48 PM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 5/10/2007 6:37:40 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 200936 bytes | Modified Date = 5/6/2007 10:38:16 AM | Attr = ]
iermgdov.ini -> %System32%\iermgdov.ini -> [Ver = | Size = 1450321 bytes | Modified Date = 5/10/2007 8:33:48 PM | Attr = HS]
jeaxjirj.ini -> %System32%\jeaxjirj.ini -> [Ver = | Size = 1484 bytes | Modified Date = 5/4/2007 10:39:34 PM | Attr = HS]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 0 bytes | Modified Date = 5/2/2007 8:16:30 PM | Attr = ]
nqstv.ini -> %System32%\nqstv.ini -> [Ver = | Size = 353 bytes | Modified Date = 4/22/2007 10:42:18 PM | Attr = HS]
rvoiwwdf.ini -> %System32%\rvoiwwdf.ini -> [Ver = | Size = 1183 bytes | Modified Date = 5/4/2007 1:25:58 PM | Attr = HS]
tvvcpvtr.ini -> %System32%\tvvcpvtr.ini -> [Ver = | Size = 1435451 bytes | Modified Date = 5/14/2007 7:51:12 AM | Attr = HS]
vodgmrei.dll -> %System32%\vodgmrei.dll -> [Ver = | Size = 132660 bytes | Modified Date = 5/4/2007 10:37:34 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2422 bytes | Modified Date = 5/14/2007 11:03:44 AM | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 26888 bytes | Modified Date = 4/30/2007 8:37:24 AM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 85952 bytes | Modified Date = 4/30/2007 8:41:56 AM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 94552 bytes | Modified Date = 4/30/2007 8:41:42 AM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 23416 bytes | Modified Date = 4/30/2007 8:39:42 AM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 43176 bytes | Modified Date = 4/30/2007 8:38:52 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 5/5/2007 8:02:46 PM | Attr = ]
fwdrv.err -> %System32%\drivers\fwdrv.err -> [Ver = | Size = 165 bytes | Modified Date = 5/10/2007 6:37:40 PM | Attr = ]
fwdrv.sys -> %System32%\drivers\fwdrv.sys -> Sunbelt Software [Ver = 4.3.182.0 | Size = 302000 bytes | Modified Date = 4/26/2007 10:21:30 AM | Attr = ]
khips.sys -> %System32%\drivers\khips.sys -> Sunbelt Software [Ver = 4.3.182.0 | Size = 72624 bytes | Modified Date = 4/26/2007 10:21:34 AM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Modified Date = 5/4/2007 10:46:34 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes -> %SystemDrive%\Thumbs.db:encryptable ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 8:46:10 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/18/2001 5:00:00 AM | Attr = ]
PEC2 , -> %System32%\ODBCJET.HLP -> [Ver = | Size = 163384 bytes | Modified Date = 8/29/1996 | Attr = ]
UPX! , -> %System32%\vodgmrei.dll -> [Ver = | Size = 132660 bytes | Modified Date = 5/4/2007 10:37:34 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/18/2001 5:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/18/2001 5:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:38 PM | Attr = ]
< End of report >
Hi
Please upload these files from c:\windows\system32 folder to jotti, too and post back results:
cbkaaekq.ini
iermgdov.ini
jeaxjirj.ini
mcrh.tmp
nqstv.ini
pkcnybqs.dll
rvoiwwdf.ini
tvvcpvtr.ini
vodgmrei.dll
Robert88
2007-05-15, 17:43
Both virus scanner sites are very busy at the moment. Currently, I plan to use the email option at virustotal and post the results.
In the meantime, I cannot locate one of the files you wanted me to scan: pkcnybqs.dll on my system. If that information changes your strategy, please let me know. Thanks.
Hi
If your hidden and system files are visible then just ignore that file :)
Robert88
2007-05-16, 01:49
the first result is from virus total as I thought/hoped they would analyze all the files I sent in an email, but they just did the first one. But by then, Jotti was not so busy so I did the rest with them, and cut and pasted text results. Looks like only the last file is infected, but it's your call!
Complete scanning result of "cbkaaekq.ini", processed in VirusTotal at 05/15/2007 23:36:08 (CET).
[ file data ]
* name: cbkaaekq.ini
* size: 1467852
* md5.: 7ff590fe5a9b740a6005944e94c1ca0c
* sha1: 152d038c422903260e288a0876fa10b7b5bd610e
[ scan result ]
AhnLab-V3 2007.5.15.1/20070515 found nothing
AntiVir 7.4.0.15/20070515 found nothing
Authentium 4.93.8/20070515 found nothing
Avast 4.7.997.0/20070515 found nothing
AVG 7.5.0.467/20070515 found nothing
BitDefender 7.2/20070515 found nothing
CAT-QuickHeal 9.00/20070515 found nothing
ClamAV devel-20070416/20070515 found nothing
DrWeb 4.33/20070515 found nothing
eSafe 7.0.15.0/20070515 found nothing
eTrust-Vet 30.7.3634/20070515 found nothing
Ewido 4.0/20070515 found nothing
F-Prot 4.3.2.48/20070515 found nothing
F-Secure 6.70.13030.0/20070515 found nothing
FileAdvisor 1/20070515 found nothing
Fortinet 2.85.0.0/20070515 found nothing
Ikarus T3.1.1.7/20070515 found nothing
Kaspersky 4.0.2.24/20070515 found nothing
McAfee 5031/20070515 found nothing
Microsoft 1.2503/20070515 found nothing
NOD32v2 2268/20070515 found nothing
Norman 5.80.02/20070515 found nothing
Panda 9.0.0.4/20070515 found nothing
Prevx1 V2/20070515 found nothing
Sophos 4.17.0/20070511 found nothing
Sunbelt 2.2.907.0/20070512 found nothing
Symantec 10/20070515 found nothing
TheHacker 6.1.6.115/20070515 found nothing
VBA32 3.12.0/20070515 found nothing
VirusBuster 4.3.7:9/20070515 found nothing
Webwasher-Gateway 6.0.1/20070515 found nothing
File: iermgdov.ini
Status: OK
MD5 a1a70831cefd33bc38216338be3db93e
Packers detected: -
Scanner results
Scan taken on 15 May 2007 22:15:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: jeaxjirj.ini
Status: OK
MD5 d9c3c94fe6bcf8f77b588830bee43697
Packers detected: -
Scanner results
Scan taken on 15 May 2007 22:21:59 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
mcrh.tmp
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
File: nqstv.ini
Status: OK
MD5 d5689b4461f1b16f44d2c0eaeec88f85
Packers detected: -
Scanner results
Scan taken on 15 May 2007 22:28:23 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: rvoiwwdf.ini
Status: OK
MD5 9b1f033568165be68de9fb4e1ed264df
Packers detected: -
Scanner results
Scan taken on 15 May 2007 22:31:37 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: tvvcpvtr.ini
Status: OK
MD5 b1e415d4caa98195e429d31503bee10a
Packers detected: -
Scanner results
Scan taken on 15 May 2007 22:34:34 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: vodgmrei.dll
Status: INFECTED/MALWARE
MD5 cc7312e3ee78f638d76b1dc40b44e439
Packers detected: -
Scanner results
Scan taken on 15 May 2007 22:38:50 (GMT)
A-Squared Found nothing
AntiVir Found ADSPY/Virtumonde.HB.7
ArcaVir Found Adware.Virtumonde.Hb
Avast Found nothing
AVG Antivirus Found Generic2.ALC
BitDefender Found Trojan.Virtumod.JQ
ClamAV Found Trojan.Packed-7
Dr.Web Found Trojan.Virtumod
F-Prot Antivirus Found W32/Backdoor.AODM
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.hb (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.hb
NOD32 Found Win32/Adware.Virtumonde application
Norman Virus Control Found W32/Virtumonde.GOM
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Hi
Well those all are likely bad files (vundo related), AVs just didn't recognize them.
Delete all those files.
Still problems?
Robert88
2007-05-16, 18:21
I deleted the files you suggested.
I shut the computer down, waited a minute and started it up again.
I then emptied the recycle bin (which had just those few files).
I ran spybot and it showed 'smitfraud - c.toolbar888'as the only problem.
Under the headline it showed 2 items: settings (HKEY_USERS|S-1.....) and tracking cookie (ending in whitescat.com).
I selected 'fix problem' and it reported the two problems fixed.
I did a cold reboot again, thinking that the files in the recycle bin may have affected results.
One problem persisted: the Canon Mutipass System Monitor shows 'initializing', but an error message says 'unable to communicate with the device' (the printer). After clicking OK on the popup window and right clicking and selecting 'reconnect' it finally does communicate.
This was not a problem until the virus problem started last week. It has been a nearly constant problem since then.
To check performance, I visited some websites and had timely responsiveness and no hijacking. I checked windows task manager, under the performance tab, and saw that CPU usage rose and fell with activity, rather than staying near 99% as it had been doing. Great!
After sending this report, I will scan with anti-virus software and let you know.
Your article 'why did I get infected in the first place' says to keep Sun Java up to date and remove older versions. Do I need to do anything there?
Hi
Yes, you should update Java and remove older versions.
As for Canon problems, I think you can try uninstalling/re-installing Canon software.
Yes, do a scan with AV and post back report if any problems left :)
Robert88
2007-05-16, 19:33
After another cold reboot I went to Internet and CPU usage started running 100% again, even when I was doing nothing.
Also, could not close Internet Explorer, as has been happening often during this crisis. I click on the X in the top right corner. It shows up on the task bar, but I cannot either open or close it from there.
I then got rid of the old Java program and installed the latest. I assume the offline 12mb download is adequate not the 360mb online download.
I don't have time for an antivirus check yet, but enclose this in case it is helpful.
Will do that check in several hours.
Logfile of HijackThis v1.99.1
Scan saved at 9:27:41 AM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/fav%20061106.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [917782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917782.cpl
O4 - HKCU\..\Run: [65774] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65774.cpl
O4 - HKCU\..\Run: [65746] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65746.cpl
O4 - HKCU\..\Run: [131280] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131280.cpl
O4 - HKCU\..\Run: [65780] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65780.cpl
O4 - HKCU\..\Run: [65782] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65782.cpl
O4 - HKCU\..\Run: [65784] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65784.cpl
O4 - HKCU\..\Run: [65806] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65806.cpl
O4 - HKCU\..\Run: [65738] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65738.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65788] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65788.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [131284] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131284.cpl
O4 - HKCU\..\Run: [327892] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\327892.cpl
O4 - HKCU\..\Run: [65794] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65794.cpl
O4 - HKCU\..\Run: [196882] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196882.cpl
O4 - HKCU\..\Run: [65786] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65786.cpl
O4 - HKCU\..\Run: [131472] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131472.cpl
O4 - HKCU\..\Run: [65768] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65768.cpl
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O4 - Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.providentcu.org
O15 - Trusted Zone: billpay.pscufs.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EF22C8-81B0-4631-8DA2-BEFC9739943E}: NameServer = 72.164.173.199,69.60.160.196
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi
Do you have windows auto updates on? Which process is using most CPU?
Well that online package will download needed parts, likely less than 300 megs.
Robert88
2007-05-17, 09:39
Windows is setup to download and install updates only after checking with me. (I have installed all but for the one that verifies that my copy of Windows is genuine. It is but I consider that intrusive.)
I installed Java Runtime Environment, and on later reboot, the computer offered update 1. In the 'add/remove programs' window, Java is listed as 88mb and the update as 134mb. I expect I have enough, but let me know if I need more.
I have not tried to solve the Canon communication issue yet.
On CPU usage, it has been more normal most of the day. When it was running at 100%, I did not know there was a way to find out which apps were using it. Looking at it now, it looks like Processes tab has that information in the CPU column.
No new virus appeared during normal use of the computer!
Here is the Avast report. The only thing I could find to copy was warning.log which reports on the last two weeks. I expect the only relevent information is from today. Hopefully everything is in deletable files. Let me know what to do to get rid of them. I did 'move to chest' as recommended by Avast.
5/4/2007 10:26:27 PM 1178342787 Robert James 1316 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sqrhohbp.dll" file.
5/5/2007 9:25:43 AM 1178382343 Robert James 1312 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\gcpvswjb.dll" file.
5/5/2007 9:25:43 AM 1178382343 Robert James 1312 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\gcpvswjb.dll" file.
5/5/2007 9:25:43 AM 1178382343 Robert James 1312 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\gcpvswjb.dll" file.
5/5/2007 9:25:43 AM 1178382343 Robert James 1312 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\gcpvswjb.dll" file.
5/5/2007 11:01:50 AM 1178388110 Robert James 1324 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\gcpvswjb.dll" file.
5/6/2007 8:29:57 AM 1178465397 Robert James 1292 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\kqgqowkp.dll" file.
5/6/2007 8:43:59 AM 1178466239 Robert James 1292 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\buytcgqy.dll" file.
5/6/2007 9:44:47 AM 1178469887 Robert James 1312 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\mcndeyxg.dll" file.
5/9/2007 7:08:24 AM 1178719704 Robert James 1332 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\eaobfurd.dll" file.
5/9/2007 11:56:18 AM 1178736978 Robert James 1316 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\nrrgkmwu.dll" file.
5/9/2007 11:57:32 AM 1178737052 Robert James 1316 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\gdqkxylh.dll" file.
5/9/2007 9:56:53 PM 1178773013 Robert James 1380 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\nckyvjos.dll" file.
5/9/2007 11:15:57 PM 1178777757 Robert James 1392 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\sfvffvcb.dll" file.
5/10/2007 8:35:03 PM 1178854503 Robert James 1376 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\qxelflfu.dll" file.
5/11/2007 8:08:55 AM 1178896135 SYSTEM 1396 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ycxtomjr.dll" file.
5/12/2007 10:49:18 PM 1179035358 Robert James 1376 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\enpltdej.dll" file.
5/14/2007 11:10:15 AM 1179166215 Robert James 1336 Sign of "Win32:BHO-CT [Trj]" has been found in "C:\WINDOWS\SYSTEM32\pkcnybqs.dll" file.
5/16/2007 8:37:31 PM 1179373051 Robert James 168 Sign of "Win32:Rond-B [Trj]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP437\A0065059.exe" file.
5/16/2007 8:43:57 PM 1179373437 Robert James 168 Sign of "Win32:Rond-B [Trj]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP437\A0065219.exe" file.
5/16/2007 8:44:38 PM 1179373478 Robert James 168 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP438\A0065695.dll" file.
5/16/2007 8:48:08 PM 1179373688 Robert James 168 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP438\A0065696.dll" file.
5/16/2007 8:48:23 PM 1179373703 Robert James 168 Sign of "Win32:Virtumonde-G [Adw]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP439\A0065791.dll" file.
5/16/2007 8:48:40 PM 1179373720 Robert James 168 Sign of "Win32:Vundo-gen33 [Adw]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP439\A0065816.dll" file.
5/16/2007 8:48:53 PM 1179373733 Robert James 168 Sign of "Win32:Virtumonde-G [Adw]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP440\A0065844.dll" file.
5/16/2007 8:48:59 PM 1179373739 Robert James 168 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP440\A0065881.dll" file.
5/16/2007 8:51:56 PM 1179373916 Robert James 168 Sign of "Win32:Vundo-gen34 [Adw]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP450\A0068083.dll" file.
5/16/2007 8:54:35 PM 1179374075 Robert James 168 Sign of "Win32:Vundo-gen34 [Adw]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP450\A0068086.dll" file.
5/16/2007 8:54:59 PM 1179374099 Robert James 168 Sign of "Win32:Vundo-gen34 [Adw]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP450\A0068092.dll" file.
5/16/2007 8:58:07 PM 1179374287 Robert James 168 Sign of "Win32:Vundo-gen33 [Adw]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP450\A0068093.dll" file.
5/16/2007 8:58:19 PM 1179374299 Robert James 168 Sign of "Win32:BHO-CT [Trj]" has been found in "C:\System Volume Information\_restore{FF3E25E3-EFC2-4259-81CD-17E6D40BDCE3}\RP451\A0068158.dll" file.
5/16/2007 8:59:31 PM 1179374371 Robert James 168 Sign of "Win32:Vundo-gen34 [Adw]" has been found in "C:\VundoFix Backups\gebawtu.dll.bad" file.
5/16/2007 8:59:52 PM 1179374392 Robert James 168 Sign of "Win32:Vundo-gen34 [Adw]" has been found in "C:\VundoFix Backups\jkkkjhf.dll.bad" file.
5/16/2007 8:59:57 PM 1179374397 Robert James 168 Sign of "Win32:Vundo-gen34 [Adw]" has been found in "C:\VundoFix Backups\nnnkkkj.dll.bad" file.
5/16/2007 9:00:04 PM 1179374404 Robert James 168 Sign of "Win32:Vundo-gen33 [Adw]" has been found in "C:\VundoFix Backups\pmnnk.dll.bad" file.
Robert88
2007-05-17, 22:12
I am now having problems loading windows within Microsoft Internet Explorer. for example, clicking help from my ISP account, or going into a password-protected screen from my professional organization. In each case, it stopped responding. In each case, I needed a password to get as far as I did get.
Hi
Empty these folders:
C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp
C:\VundoFix Backups
Empty Recycle Bin
You can ignore all system volume information findings; that's system restore and I'll give you instructions how to clean it later.
As for IE problem, you may try to update to 7 version.
Still 100% CPU problem?
Robert88
2007-05-18, 17:25
I emptied the folders but for these two files that it said were in use by other programs. (I did not close startup programs such as Copernic desktop search, let me know if I should.)
58.tm
perflib_perdata_bc.dat
I had not upgraded to IE 7.0, concerned that it would run very slowly on this machine. Since the described problem occured only after updating Java, are there options within that program I could try first? How do I get to them?
Will test more for 100%CPU problem. Not a problem currently.
Thanks!
Hi
Those files are ok, you may try deleting them in safe mode if you like to.
You can then try to downgrade Java.
Robert88
2007-05-20, 08:27
I did delete those files while in safe mode.
I looked at Java on the control panel, and could not easily determine a way to adjust it.
My alternative plan is now to transfer my favorites to Mozilla Firefox (already installed) and use it as the default browser.
I will let you know when that is done and I assume it is best to remove IE.
Hi
Well it's not easy to remove IE from computer but yes you can start using Mozilla instead of tit :)
Robert88
2007-05-22, 10:32
I generally have not been having the 100% CPU problem.
I updated to Firefox 2. It works great.
Then I updated to IE 7.
I am still having a problem of IE becoming non-responsive at various times. Sometimes it is when I open a window within a window, as before.
If I close it prior to a problem, it does close properly, in that it is not still on the taskbar after closing, as IE 6 had been.
Any suggestions or testing suggested for IE 7 problems?
Perhaps the Sunbelt Personal Firewall is interfering?
Hi
Well, firewall might interfere but it shouldn't. Maybe you should contact Microsoft for that issue.
Robert88
2007-05-22, 10:59
I plan to switch to using Firefox. So if the IE 7 non-responsiveness does not indicate a virus/spyware problem, I am OK!
Anything else to do? Time to clean system restore?
Hi
No, it won't.
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 1 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Robert88
2007-05-22, 17:54
This is great news!
I think I already did the Java update step a few days ago. See post #22 dated 5/16/07. I had deleted the old Java first, then downloaded the offline version of JRE 6, and when I rebooted it automatically downloaded and asked me to install update 1.
Let me know if I still need to do the Java step you just listed.
Thanks again! I will follow the rest of the steps after I hear back.
Hi
Then of course not, my bad :)
Robert88
2007-05-27, 05:01
Thanks for the great work and giving me the spyware references. Something has slowed my Outlook program however. When I type, the letters do not appear immediately as they usually did. They are fine here and in Word. Also, it seems that tasks within Outlook, such as changing screens, are slower. Any ideas what may have slowed the responsiveness in Outlook?
Hi
You may try uninstalling/re-installing Outlook.
Robert88
2007-05-28, 03:40
I first uninstalled the spyware programs I believe I had installed recently, but Outlook was still slow.
Then, as you suggested, I uninstalled and reinstalled Outlook 2000. Same result.
Of course I could use Word or something to compose responses, and paste them into Outlook, or just type and deal with misspellings later.
Any other ideas? Any known conflicts with Outlook 2000 that might relate to the programs listed in the 'keep it clean' post?
Hi
No, I don't know any conflicts. I suggest contacting Microsoft for that issue.
Robert88
2007-05-29, 07:20
We somehow fixed Outlook. All the spyware and such is loaded. THANKS!
Hi
Glad to hear :)
Then just follow these (http://forums.spybot.info/showpost.php?p=87741&postcount=34) instructions if haven't done that already.
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.