Lingering recurrence Virtumonde after Spybot run. [Archive]

View Full Version : Lingering recurrence Virtumonde after Spybot run.

owenisch

2007-10-19, 03:30

Hi forum,

I had experienced the usual IE window popups even while using another browser, kept getting worse. As a first help I tried the trend micro house call but the operation usually hung. Also ran Lavasoft Adaware which maybe killed one virus called TSPY_Agent.AAYO.

The trend Micro spotted one ADW-Mirrar.AV among other viruses which I understand is a PUP. Then I found through referal. Spybot SD. I ran version 1.5.1.15 and it found and said it fixed several viruses - but then the Virtumonde showed up on additional scan checks. Message said to check with forum.

My system is XP home Ver. 2002 Service pack 1 with what is termed hot fix SP2. I don't know why but the hot fix doesn't show up on the system as the regular SP2.

Upon checking the forum, I saw there were requests to run certain programs before any posts.

So I loaded and ran the Karpersky Scanner - came up with a large file - looked like to me. It registered 23 viruses. After I saved the log file IE froze up and had to end with Task Manager. I then entered safe mode and started Spybot - (had to start it twice for some reason before it ran) It listed finding only the Virtumonde file (4 entries) and indicated it was fixed after that function was selected. Then left safe mode. I then ran the HiJack This program - but from reading the forum I saw suggestion I should change the name of the HiJackThis.exe file - so I did, and then ran it and saved file.

I saw request to paste in files, so I will try. While I'm not too familiar with virus repair - I have worked with computers - so some if it is unfamiliar.

Hopefully someone can explain how to proceed.

Thanks!

Kaspersky Report; Drive C: section

KASPERSKY ONLINE SCANNER REPORT
Thursday, October 18, 2007 5:55:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/10/2007
Kaspersky Anti-Virus database records: 438999
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 72415
Number of viruses found: 23
Number of infected objects: 151
Number of suspicious objects: 81
Duration of the scan process: 03:47:33

Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\core.sys.bac_a03528 Infected: Rootkit.Win32.Agent.eq skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ebqdltdb.exe.bac_a03528 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a00172/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a00172 CAB: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a00172 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a01548/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a01548 CAB: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a01548 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a01904/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a01904 CAB: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a01904 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a02788/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a02788 CAB: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a02788 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a03436/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a03436 CAB: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a03436 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a03528/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a03528 CAB: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[1].cab.bac_a03528 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[2].cab.bac_a03436/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[2].cab.bac_a03436 CAB: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ErrorSafeFreeInstallW[2].cab.bac_a03436 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\iixtghyh.exe.bac_a03436 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\jaun_20070726[1].bac_a03528 Infected: Trojan.Win32.BHO.hj skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\jgawiluk.dll.bac_a03528 Infected: Trojan.Win32.BHO.hj skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\kacaujwx.exe.bac_a01904 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\lkjh[1].bac_a03528 Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\lntilsph.exe.bac_a02788 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\pwfbhexp.exe.bac_a03528 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\qomkj.dll.bac_a03528 Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\rbwrpbct.exe.bac_a03528 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\retadpu572.exe.bac_a03528 Infected: Trojan-Downloader.Win32.Agent.dvd skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\retadpu572.exe.tmp.bac_a03528 Infected: Trojan-Downloader.Win32.Agent.dvd skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\say8fb4a.php.bac_a03528/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dct skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\say8fb4a.php.bac_a03528/stream Infected: Trojan-Downloader.Win32.Zlob.dct skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\say8fb4a.php.bac_a03528 NSIS: infected - 2 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\say8fb4a.php.bac_a03528 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\ukgktcau.exe.bac_a03436 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\UWA7P_0001_N91M0809NetInstaller.exe.bac_a03528 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\valera[1].bac_a01904 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\valera[1].bac_a03436 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\valera[1].bac_a03528 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\wmgvkvvc.exe.bac_a03528 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\yazzlesnet.exe.bac_a03528/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\yazzlesnet.exe.bac_a03528 NSIS: infected - 1 skipped
C:\Documents and Settings\Ozzie\.housecall6.6\Quarantine\yazzlesnet.exe.bac_a03528 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From
[Could not fit all of file]

I'm pretty sure I had word wrap off on this. There was some extra time as I had a spare copy of an older operating system on the partitioned drive D left there when I switched to a larger hard drive. I pretty much got all files out of it ; so I would plan to delete it all asap. I don't know what/why the report found locked areas (what's that?); skipped areas, and how do I get rid of Quaranteed areas?

Next HJT report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:36 PM, on 10/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Locator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://netscape.aol.com/"); (C:\Documents and Settings\OZZIE\Application Data\Mozilla\Profiles\default\usep8q5q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OZZIE\Application Data\Mozilla\Profiles\default\usep8q5q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EDAD203-C9CD-4DD1-9AC6-EA40F50B684A} - (no file)
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\fdymcgmb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CC0516E8-9977-419F-B9B3-E84D0C4ABF10} - C:\WINDOWS\System32\hgdcd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\mdqpqkwa.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/10d382795368a9ba3923/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O20 - Winlogon Notify: pmnopqo - C:\WINDOWS\SYSTEM32\pmnopqo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5828 bytes

Any thoughts on the above problem with help or explaination would be most appreciated.

Thanks again - owenisch

owenisch

2007-10-19, 03:45

(rest of Kaspersky scan report or what fits)

C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From "Jos ... /[From from 8bit to base64 by smtp.snet.net id f8EGeYt7002659][Date Fri, 14 Sep 2001 12:40:34 -0400 (EDT)]/FIXMAPI.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From "Joseph Wenisch" <jozzyw@alum. ... /[From "Adrianne Wenisch" <awenisch@hotmail.com>][Date Thu, 13 Sep 2001 08:38:42 -0400]/text Infected: Email-Worm.Win32.Magistr.a skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Thu, 30 Aug 2001 15:51:27 -0600]/text Infected: Email-Worm.Win32.Magistr.a skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@a ... /[From Measurement Comp ... /[From inkokubo <inkokubo@hotmail.com>][Date Tue, 24 Dec 2002 23:09:18 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@a ... /[From Measurement Comp ... /[From "Martha" <martha7920a@c4.com>][Date Mon, 23 Dec 2002 3:53:18 PM -0800]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@a ... /[From Measurement Computing enews<enews@measurementcomputing.com>][Date Mon, Dec 23 2002 14:12 -0600]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol.com][Date ... /[From Copy DVDs <Copy_DVDs@355-16A80D8.idsbi.com>][Date Sun, 22 Dec 2002 21:42:32 -0700]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol. ... /[From The Coopt Networ ... /[From jo-ryan <jo-ryan@xtra.co.nz>][Date Mon, 30 Dec 2002 20:14:33 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol. ... ... /[From =?GB231 ... /[From CESAR2000 <CESAR2000@BIGPOND.COM>][Date Fri, 3 Jan 2003 08:05:59 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol. ... ... /[From =?GB2312?B?tqvTs8nM0rXJ49Ow?= <vitalityvc@yahoo.com>][Date Fri, 3 Jan 2003 18:57:33 +0800]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol. ... /[From The Coopt Network <bannersgomlm@coopt.dealsoffer.com>][Date Mon, 30 Dec 2002 19:07:57 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol.com][Date ... /[From The Eastwood Company <eastwood@updatemyemail.com>][Date Wed, 21 Aug 2002 21:31:41]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol.com][Date Mon, 21 Ja ... /[From "Just Doit" <justdoit@payforlife.com>][Date Fri, 5 Apr 2002 18:05:53 -0800]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol.com][Date Mon, 21 Jan ... /[From JESSE ALDABA <jaldab@optonline.net>][Date Thu, 28 Mar 2002 09:58:12 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text/[From BleuMouse9@aol.com][Date Mon, 21 Jan 2002 20:09:18 EST]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text/[From clagrega@notes.cc.sunysb.edu][Date Fri, 19 Jan 2001 11:48:07 -0500]/text Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED/[From Adrianne Wenisch <adriann2@seas.upenn.edu>][Date Sat, 6 May 2000 15:52:57 -0400 (EDT)]/text Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text/[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Wed, 1 Dec 1999 12:29:04 -0700]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From harris publishing <friends@planetall.com>][Date Tue, 26 Oct 1999 05:06:40 -0400]/text Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From ... /[ ... /[From yangyuyue@hotmail.com][Date Tue, 21 Jan 2003 18:45:25 +0800]/Èº·¢ËÑË÷Ò»ÌåÈí¼þ.EXE Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From ... /[From Brian Schumacher <admin-n@offercheck.com>][Date Mon, 20 Jan 2003 20:16:53 -0400]/UNNAMED Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From "G ... /[From "Ellen Reid" ... /[From CandCBalance@aol.com][Date Mon, 20 Jan 2003 14:52:40 EST]/text Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From "G ... /[From "Ellen Reid" ... /[From wenisch@att.net][Date Mon, 20 Jan 2003 18:23:16 +0000]/UNNAMED Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From "G ... /[From "Ellen Reid" <ellenreidxwcn@europe.com>][Date Mon, 20 Jan 2003 01:10:47 +1200]/UNNAMED Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From "Ga ... ... /[From "Bo Wallace" <nicasia764@keromail.com>][Date Fri, 4 Jan 2002 09:10:10 -0800]/html Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From "Ga ... /[From "Joseph Wenisch" <jozzyw@alum.mit.edu>][Date Sat, 18 Jan 2003 09:32:47 +0545]/UNNAMED Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html/[From "Garry Johnston" <shashy@yourwap.com>][Date Fri, 17 Jan 2003 17:32:39 -0800]/html Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html/[From Patricia Brown <PatriciaBrown@secureprivatepays.net>][Date 09 Jan 2003 18:48:46 -0800]/html Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text/[From =?GB2312?B?zOy1wLPqx9o=?= <info@teamdo.com.cn>][Date Thu, 9 Jan 2003 14:13:51 +0800]/html Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html/[From "Patagonia" <Patagonia_News@email.patagonia.com>][Date Wed, 8 Jan 2003 13:42:24 -0500 (EST)]/text Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox/[From "Jodee Roesner" <janzen@keromail.com>][Date Sat, 24 Feb 2001 20:18:01 -0800]/html Infected: Trojan-PSW.Win32.QQPass.598 skipped
C:\Documents and Settings\Ozzie\Application Data\Mozilla\Profiles\default\usep8q5q.slt\Mail\postoffice.worldnet.att.net\Inbox Mail Berkeley mbox: infected - 19, suspicious - 12 skipped
C:\Documents and Settings\Ozzie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ozzie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ozzie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

That's about all that would fit in two posts. Rest of drive C: and the old oper. system plus more emails on drive partition D: not pasted here.

Hope this helps - owenisch

Rorschach112

2007-10-24, 08:28

Hello owenisch, sorry for the delay. My name is Rorschach and I'll be helping you with your problems.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot your PC and do the following

Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
Under Additional Scans on the bottom right, check the box for Reg - Disabled MS Config Items
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

owenisch

2007-10-24, 18:57

Dear Rorschach112,
Thank you for your reply on this problem. I have run the additional programs combofix.exe and WinPFind3U.exe after deactivation of "teatimer". The results are pasted as follows:

ComboFix 07-10-23.1 - Ozzie 2007-10-24 11:43:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.43 [GMT -4:00]
Running from: C:\Documents and Settings\Ozzie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aevlwbbc.dll
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\cbbwlvea.ini
C:\WINDOWS\system32\dcdgh.bak1
C:\WINDOWS\system32\dcdgh.bak2
C:\WINDOWS\system32\dcdgh.ini
C:\WINDOWS\system32\fdymcgmb.dll
C:\WINDOWS\system32\hgdcd.dll
C:\WINDOWS\system32\hsejqhod.exe
C:\WINDOWS\system32\jsbyvhym.ini
C:\WINDOWS\system32\miewejal.exe
C:\WINDOWS\system32\myhvybsj.dll
C:\WINDOWS\system32\ofuedmgq.exe
C:\WINDOWS\system32\pmnopqo.dll
C:\WINDOWS\system32\qxwdiabu.dll
C:\WINDOWS\system32\rpmxkilx.dll
C:\WINDOWS\system32\sbcwlygq.exe
C:\WINDOWS\system32\xlikxmpr.ini
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\nm

((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-24 11:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 10:24 84,544 --a------ C:\WINDOWS\system32\omwiojnk.dll
2007-10-18 13:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-16 15:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-16 15:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 13:07 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-11 15:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-10 17:51 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-10 17:49 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 17:49 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-10 14:45 <DIR> d-------- C:\Documents and Settings\Ozzie\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 12:06 --------- d-----w C:\Program Files\Google
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-29 15:04 17,608 ----a-w C:\Documents and Settings\Ozzie\Application Data\GDIPFONTCACHEV1.DAT
2007-05-02 16:40 10,997 ----a-w C:\Program Files\HPSETUP.LOG
2007-05-02 16:38 5,324,500 ----a-w C:\Program Files\x0.isf
2007-05-02 16:38 2,661,500 ----a-w C:\Program Files\r0.isf
2007-05-02 16:38 2,661,500 ----a-w C:\Program Files\g0.isf
2007-05-02 16:38 2,661,500 ----a-w C:\Program Files\b0.isf
2006-12-23 23:12 17,608 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2003-01-09 21:57 17,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-07-16 17:37:59 6,369 --sha-w C:\WINDOWS\system32\jkmoq.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EDAD203-C9CD-4DD1-9AC6-EA40F50B684A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"AGRSMMSG"="AGRSMMSG.exe" [2002-04-18 23:27 C:\WINDOWS\AGRSMMSG.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 07:50]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-07-17 08:59]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-07-17 08:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-24 09:14]
"28425a48"="C:\WINDOWS\System32\omwiojnk.dll" [2007-10-24 10:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 16:08]
"OfotoNow USB Detection"="C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL" [2002-11-05 10:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=

R3 ne2000;Novell/Eagle NE2000 Adapter Driver;C:\WINDOWS\System32\DRIVERS\ne2000.sys
S3 epstw2k;SCM Parallel Port SCSI Driver;C:\WINDOWS\System32\DRIVERS\epstw2k.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\System32\DRIVERS\wADV11nt.sys
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\System32\DRIVERS\scsiscan.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 11:51:03
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 11:52:33 - machine was rebooted
.
--- E O F ---

WinPFind3 logfile created on: 10/24/2007 12:12:40 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Ozzie\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

158.42 Mb Total Physical Memory | 56.97 Mb Available Physical Memory | 35.96% Memory free
386.50 Mb Paging File | 257.91 Mb Available in Paging File | 66.73% Paging File free
Paging file location(s): C:\pagefile.sys 240 480;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.55 Gb Total Space | 11.66 Gb Free Space | 59.66% Space Free
Drive D: | 17.71 Gb Total Space | 15.67 Gb Free Space | 88.48% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: WENISCH-HOME
Current User Name: Ozzie
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 9/25/2007 9:00:46 AM | Attr = ]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.0.2003051500 | Size = 217193 bytes | Modified Date = 5/15/2003 2:19:50 AM | Attr = ]
agrsmmsg.exe -> %SystemRoot%\AGRSMMSG.exe -> Agere Systems [Ver = 2.1.12 2.1.12 04/19/2002 11:27:35 | Size = 87039 bytes | Modified Date = 4/18/2002 11:27:36 PM | Attr = R ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,1757 | Size = 90112 bytes | Modified Date = 7/17/2002 8:45:02 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/24/2006 9:14:44 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 9/25/2007 9:00:46 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 10/6/2007 10:21:32 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
28425a48 -> %System32%\omwiojnk.dll [rundll32.exe "C:\WINDOWS\System32\omwiojnk.dll",b] -> [Ver = | Size = 84544 bytes | Modified Date = 10/24/2007 10:24:12 AM | Attr = ]
AGRSMMSG -> %SystemRoot%\AGRSMMSG.exe -> Agere Systems [Ver = 2.1.12 2.1.12 04/19/2002 11:27:35 | Size = 87039 bytes | Modified Date = 4/18/2002 11:27:36 PM | Attr = R ]
HotKeysCmds -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,1757 | Size = 90112 bytes | Modified Date = 7/17/2002 8:45:02 AM | Attr = ]
IgfxTray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3,0,0,1757 | Size = 143360 bytes | Modified Date = 7/17/2002 8:59:48 AM | Attr = ]
NeroCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 7/9/2001 7:50:42 AM | Attr = R ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/24/2006 9:14:44 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
OfotoNow USB Detection -> C:\Program Files\Ofoto\OfotoNow\OFUSBS.dll [%System32%\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow] -> Ofoto, Inc. [Ver = 3.0.4.591 | Size = 77824 bytes | Modified Date = 11/5/2002 10:32:10 AM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Acrobat Assistant.lnk -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.0.2003051500 | Size = 217193 bytes | Modified Date = 5/15/2003 2:19:50 AM | Attr = ]
%AllUsersStartup%\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 4:06:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> •
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.worldnet.att.net ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\System32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://news.google.com/ ->
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.0.2003051500 | Size = 50376 bytes | Modified Date = 5/15/2003 1:47:54 AM | Attr = ]
{0EDAD203-C9CD-4DD1-9AC6-EA40F50B684A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{0F660F64-F4C9-477F-8529-44181B717472} [HKLM] -> %ProgramFiles%\AT&T\WnClient\Programs\CSMBHO.dll [CSMHelperObj Class] -> [Ver = 1, 0, 0, 1 | Size = 155702 bytes | Modified Date = 3/15/2002 6:15:06 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [AcroIEToolbarHelper Class] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 2:03:46 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 2:03:46 AM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 2:03:46 AM | Attr = ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 842268 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 2:03:46 AM | Attr = ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 2:03:46 AM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{0264505A-6793-44E0-AC75-9DCE3B13185C} -> %ProgramFiles%\AT&T\WnClient\Programs\AnyWho.exe [ButtonText: AnyWho] -> [Ver = | Size = 36864 bytes | Modified Date = 3/15/2002 6:13:46 PM | Attr = ]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [MenuText: Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
AT&T CSM7.0 -> AT&T CSM7.0 ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{C169881A-02FD-44BD-9D06-F13506CDDE6A} ->

(cont'd next reply)

These scans always show I have microsoft SP1, but when I go to load SP2 microsoft says I already have SP2 installed. I believe I have what's called "hot fix" SP2. I don't know how to migrate from "hot fix SP2 to regular SP2. Other than that I hope these logs will indicate progress.

Thanks - owenisch.

owenisch

2007-10-24, 19:04

< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{C169881A-02FD-44BD-9D06-F13506CDDE6A} -> (NE2000 Compatible ISAPNP Ethernet Adapter (Generic)) ->
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 842268 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab ->
{215B8138-A3CF-44C5-803F-8226143CFC0A} -> Trend Micro ActiveX Scan Agent 6.6 - CodeBase = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab ->
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab ->
{33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB ->
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc.cab ->
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} -> - CodeBase = http://207.188.7.150/10d382795368a9ba3923/netzip/RdxIE601.cab ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5} -> Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.0_01 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab ->
{8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -> - CodeBase = http://toolbar.google.com/data/GoogleActivate.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37629.0372106481 ->
{B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} -> TSEasyInstallX Control - CodeBase = http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB ->
{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.4.0_01 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->

[Registry - Additional Scans - Non-Microsoft Only]

[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 166187008 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 10/24/2007 10:43:16 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Created Date = 10/10/2007 4:49:37 PM | Attr = H ]
$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ -> [Folder | Created Date = 10/10/2007 4:50:23 PM | Attr = H ]
$NtUninstallKB842773$ -> %SystemRoot%\$NtUninstallKB842773$ -> [Folder | Created Date = 10/10/2007 4:50:59 PM | Attr = H ]
$NtUninstallKB898461$ -> %SystemRoot%\$NtUninstallKB898461$ -> [Folder | Created Date = 10/10/2007 4:49:37 PM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Created Date = 10/24/2007 10:41:07 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 10/24/2007 10:48:08 AM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 10/24/2007 10:41:07 AM | Attr = ]
TEMP -> %SystemRoot%\TEMP -> [Folder | Created Date = 10/24/2007 10:52:40 AM | Attr = ]
awkqpqdm.ini -> %System32%\awkqpqdm.ini -> [Ver = | Size = 694012 bytes | Created Date = 10/17/2007 3:36:32 PM | Attr = HS]
bits -> %System32%\bits -> [Folder | Created Date = 10/10/2007 4:51:10 PM | Attr = ]
fubgktub.ini -> %System32%\fubgktub.ini -> [Ver = | Size = 693781 bytes | Created Date = 10/9/2007 6:16:14 AM | Attr = HS]
gghnhsdo.ini -> %System32%\gghnhsdo.ini -> [Ver = | Size = 693601 bytes | Created Date = 10/6/2007 9:08:01 PM | Attr = HS]
ixaantus.ini -> %System32%\ixaantus.ini -> [Ver = | Size = 694372 bytes | Created Date = 10/12/2007 9:37:53 AM | Attr = HS]
jvotgicu.ini -> %System32%\jvotgicu.ini -> [Ver = | Size = 693592 bytes | Created Date = 10/15/2007 3:34:42 PM | Attr = HS]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 10/18/2007 12:49:48 PM | Attr = ]
knjoiwmo.ini -> %System32%\knjoiwmo.ini -> [Ver = | Size = 693532 bytes | Created Date = 10/24/2007 9:24:11 AM | Attr = HS]
omwiojnk.dll -> %System32%\omwiojnk.dll -> [Ver = | Size = 84544 bytes | Created Date = 10/24/2007 9:24:10 AM | Attr = ]
oyouaxwu.ini -> %System32%\oyouaxwu.ini -> [Ver = | Size = 694150 bytes | Created Date = 10/10/2007 8:55:33 AM | Attr = HS]
PreInstall -> %System32%\PreInstall -> [Folder | Created Date = 10/10/2007 4:49:44 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 139776 bytes | Created Date = 10/24/2007 10:41:07 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 10/24/2007 10:41:07 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 10/24/2007 10:41:07 AM | Attr = ]
tmxoxbnl.ini -> %System32%\tmxoxbnl.ini -> [Ver = | Size = 694261 bytes | Created Date = 10/11/2007 9:24:31 AM | Attr = HS]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 10/24/2007 10:41:07 AM | Attr = ]
wwkmuviq.ini -> %System32%\wwkmuviq.ini -> [Ver = | Size = 693832 bytes | Created Date = 10/16/2007 3:35:17 PM | Attr = HS]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Created Date = 10/16/2007 12:07:42 PM | Attr = ]
hosts.20071018-183735.backup -> %System32%\drivers\etc\hosts.20071018-183735.backup -> [Ver = | Size = 734 bytes | Created Date = 10/18/2007 5:37:35 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 166187008 bytes | Modified Date = 10/24/2007 12:04:36 PM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 10/17/2007 12:04:18 PM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 10/24/2007 11:52:18 AM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 10/24/2007 11:41:26 AM | Attr = HS]
TEMP -> %SystemDrive%\TEMP -> [Folder | Modified Date = 10/24/2007 11:45:50 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 10/24/2007 11:52:42 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 10/10/2007 5:49:38 PM | Attr = H ]
$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ -> [Folder | Modified Date = 10/10/2007 5:50:26 PM | Attr = H ]
$NtUninstallKB842773$ -> %SystemRoot%\$NtUninstallKB842773$ -> [Folder | Modified Date = 10/10/2007 5:51:00 PM | Attr = H ]
$NtUninstallKB898461$ -> %SystemRoot%\$NtUninstallKB898461$ -> [Folder | Modified Date = 10/10/2007 5:49:38 PM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 10/24/2007 12:04:40 PM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Modified Date = 10/20/2007 6:03:32 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 10/24/2007 12:05:02 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 10/18/2007 1:49:52 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 10/24/2007 11:48:10 AM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 10/17/2007 5:35:44 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 10/10/2007 5:51:28 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 10/18/2007 1:49:50 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 10/16/2007 3:32:40 PM | Attr = HS]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 10/24/2007 12:09:22 PM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 10/15/2007 2:54:06 PM | Attr = ]
repair -> %SystemRoot%\repair -> [Folder | Modified Date = 10/15/2007 2:54:16 PM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 10/10/2007 5:39:56 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 10/24/2007 12:06:28 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 10/24/2007 11:46:06 AM | Attr = S]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 10/24/2007 12:06:14 PM | Attr = ]
Web -> %SystemRoot%\Web -> [Folder | Modified Date = 10/17/2007 1:58:10 PM | Attr = R ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 10/24/2007 12:04:54 PM | Attr = H ]
awkqpqdm.ini -> %System32%\awkqpqdm.ini -> [Ver = | Size = 694012 bytes | Modified Date = 10/18/2007 9:56:58 AM | Attr = HS]
bits -> %System32%\bits -> [Folder | Modified Date = 10/10/2007 5:51:14 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 10/18/2007 1:51:48 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 10/24/2007 11:48:34 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/10/2007 5:51:14 PM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 10/24/2007 11:50:40 AM | Attr = ]
fubgktub.ini -> %System32%\fubgktub.ini -> [Ver = | Size = 693781 bytes | Modified Date = 10/10/2007 9:52:50 AM | Attr = HS]
gghnhsdo.ini -> %System32%\gghnhsdo.ini -> [Ver = | Size = 693601 bytes | Modified Date = 10/9/2007 7:04:46 AM | Attr = HS]
ixaantus.ini -> %System32%\ixaantus.ini -> [Ver = | Size = 694372 bytes | Modified Date = 10/14/2007 4:30:00 PM | Attr = HS]
jvotgicu.ini -> %System32%\jvotgicu.ini -> [Ver = | Size = 693592 bytes | Modified Date = 10/16/2007 3:59:18 PM | Attr = HS]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 10/18/2007 1:49:50 PM | Attr = ]
knjoiwmo.ini -> %System32%\knjoiwmo.ini -> [Ver = | Size = 693532 bytes | Modified Date = 10/24/2007 12:06:28 PM | Attr = HS]
NtmsData -> %System32%\NtmsData -> [Folder | Modified Date = 10/15/2007 3:15:18 PM | Attr = ]
omwiojnk.dll -> %System32%\omwiojnk.dll -> [Ver = | Size = 84544 bytes | Modified Date = 10/24/2007 10:24:12 AM | Attr = ]
oyouaxwu.ini -> %System32%\oyouaxwu.ini -> [Ver = | Size = 694150 bytes | Modified Date = 10/11/2007 10:20:34 AM | Attr = HS]
PreInstall -> %System32%\PreInstall -> [Folder | Modified Date = 10/10/2007 5:49:46 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 10/24/2007 11:41:26 AM | Attr = ]
tmxoxbnl.ini -> %System32%\tmxoxbnl.ini -> [Ver = | Size = 694261 bytes | Modified Date = 10/12/2007 10:36:20 AM | Attr = HS]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13312 bytes | Modified Date = 10/24/2007 10:14:52 AM | Attr = ]
wwkmuviq.ini -> %System32%\wwkmuviq.ini -> [Ver = | Size = 693832 bytes | Modified Date = 10/17/2007 3:48:56 PM | Attr = HS]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 10/24/2007 11:50:40 AM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 10/10/2007 10:59:54 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
aspack , -> %SystemRoot%\eFaxView.exe -> eFax.com [Ver = 2.00.07 | Size = 311840 bytes | Modified Date = 1/10/2000 6:48:26 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 139776 bytes | Modified Date = 4/2/2007 2:21:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]

< End of report >

Rorschach112

2007-10-24, 23:07

Hello, I will ask a Tech friend about your Windows Update problem, not sure why that is happening.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> 28425a48 -> %System32%\omwiojnk.dll [rundll32.exe "C:\WINDOWS\System32\omwiojnk.dll",b]
[Files/Folders - Created Within 30 days]
NY -> awkqpqdm.ini -> %System32%\awkqpqdm.ini
NY -> fubgktub.ini -> %System32%\fubgktub.ini
NY -> gghnhsdo.ini -> %System32%\gghnhsdo.ini
NY -> ixaantus.ini -> %System32%\ixaantus.ini
NY -> jvotgicu.ini -> %System32%\jvotgicu.ini
NY -> knjoiwmo.ini -> %System32%\knjoiwmo.ini
NY -> omwiojnk.dll -> %System32%\omwiojnk.dll
NY -> oyouaxwu.ini -> %System32%\oyouaxwu.ini
NY -> tmxoxbnl.ini -> %System32%\tmxoxbnl.ini
NY -> wwkmuviq.ini -> %System32%\wwkmuviq.ini
[Files/Folders - Modified Within 30 days]
NY -> awkqpqdm.ini -> %System32%\awkqpqdm.ini
NY -> fubgktub.ini -> %System32%\fubgktub.ini
NY -> gghnhsdo.ini -> %System32%\gghnhsdo.ini
NY -> ixaantus.ini -> %System32%\ixaantus.ini
NY -> jvotgicu.ini -> %System32%\jvotgicu.ini
NY -> knjoiwmo.ini -> %System32%\knjoiwmo.ini
NY -> omwiojnk.dll -> %System32%\omwiojnk.dll
NY -> oyouaxwu.ini -> %System32%\oyouaxwu.ini
NY -> tmxoxbnl.ini -> %System32%\tmxoxbnl.ini
NY -> wwkmuviq.ini -> %System32%\wwkmuviq.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also please post a new HijackThis log and tell me how your PC is running now.

owenisch

2007-10-25, 16:50

Dear Rorschach,

I attempted to follow the WinPFind3U fix instructions and pasted the quote box contents into the WinPFind3U fix window. Upon clicking the fix button the program immediately went non-responsive. I tried it several times. I had to end the program using task manager. I also forwarded the error to MS and clicked for more info. Usually MS opens a windows and reports with some text. In my case a IE window opened but no text from MS appeared so I closed the IE window. I also tried the WinPFind3U fix again on a reboot but there was no change in operation - went non-responsive again. Just to see if the program worked at all I ran a general default scan - the scan portion executed with no problems.

Since I couldn't carry out the first part of your suggestions - I held up on doing the rest of the suggested scans to await any further comments.

So far the computer seems to be responding normally with no IE apparant pop-ups. One of my short cuts to a netscape browser got renamed to IE icon but thats ok. The reply from MS for a reported no-responsive program seems to be blocked.

Thanks for looking into this problem. I'll await your further suggestion. - owenisch

Rorschach112

2007-10-25, 17:15

Hello owenisch, thanks for letting me know.

Could you try it one more time for me please, make sure you have no programs running, and when you try run the fix, do nothing else with your PC. The program will stall if you try run another program.

If that doesn't work, we will try something else.

Also will you remind me at the end about your Service Pack 2 problem, there is something we can do to try fix that.

owenisch

2007-10-25, 19:31

Hi Rorschach,

I gave the WindPFind3U another try.

I entered Spybot S&D forums this time through IE instead of Netscape, copied quote file and exited IE.

I ended resident Windows IMG task.

Used file explorer to load WindPFind3u and then closed file explorer window.

Pasted the copied fix into "paste fix here window" and clicked on "Run fix". The program seemed to execute this time but stopped before a finish message or notepad log was displayed. The "paste fix here" window was filled with 14 lines of "[Reboot]". After waiting 10 minutes I terminated WinPFind3U with task manager. During use of task manager I checked performance which indicated CPU usage was at 100% but program was listed as not responding.

Maybe it wanted me to reboot manually?..I don't know. Please let me know if this is an improvement. I'll remind you about the sp2 fix issue later - I found four Sp2 hotfix items under "add/remove programs" list.

Thanks - owenisch

Rorschach112

2007-10-25, 20:12

Lets do this instead

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

owenisch

2007-10-25, 21:22

Hello Rorschach,

The Deckard's scan seemed to execute well.

Hear are results:

Deckard's System Scanner v20071014.68
Run by Ozzie on 2007-10-25 15:02:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 3 Restore Point(s) --
3: 2007-10-25 19:02:23 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-10-24 15:43:13 UTC - RP2 - ComboFix created restore point
1: 2007-10-24 15:41:36 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 159 MiB (512 MiB recommended).

-- HijackThis (run as Ozzie.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:38 PM, on 10/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ozzie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ozzie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://netscape.aol.com/"); (C:\Documents and Settings\OZZIE\Application Data\Mozilla\Profiles\default\usep8q5q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OZZIE\Application Data\Mozilla\Profiles\default\usep8q5q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EDAD203-C9CD-4DD1-9AC6-EA40F50B684A} - (no file)
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/10d382795368a9ba3923/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5325 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver UltraDev 4\UltraDev.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver UltraDev 4\UltraDev.exe" "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\ozzie\locals~1\temp\catchme.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2007-09-25 and 2007-10-25 -----------------------------

2007-10-18 13:49:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-18 13:49:48 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2007-10-17 12:04:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 15:28:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 15:24:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-16 15:10:49 0 d-------- C:\Program Files\Lavasoft
2007-10-11 15:45:13 0 d-------- C:\Program Files\Trend Micro
2007-10-10 17:51:10 0 d-------- C:\WINDOWS\System32\bits
2007-10-10 17:49:44 0 d-------- C:\WINDOWS\System32\PreInstall
2007-10-10 17:49:37 0 d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 14:45:06 0 d-------- C:\Documents and Settings\Ozzie\Application Data\HouseCall 6.6
2007-10-06 22:08:00 0 d-------- C:\Documents and Settings\Ozzie\Application Data\Google

-- Find3M Report ---------------------------------------------------------------

2007-10-16 15:24:31 0 d-------- C:\Program Files\Common Files
2007-10-07 08:06:26 0 d-------- C:\Program Files\Google
2007-07-29 11:04:06 17608 --a------ C:\Documents and Settings\Ozzie\Application Data\GDIPFONTCACHEV1.DAT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EDAD203-C9CD-4DD1-9AC6-EA40F50B684A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [04/18/2002 11:27 PM C:\WINDOWS\AGRSMMSG.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 07:50 AM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [07/17/2002 08:59 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [07/17/2002 08:45 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/24/2006 09:14 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 04:08 PM]
"OfotoNow USB Detection"="C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/10/2000 6:08:09 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

-- End of Deckard's System Scanner: finished at 2007-10-25 15:05:26 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 158.42 MiB / 43 MiB
Pagefile Memory (total/avail): 386.5 MiB / 254.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.63 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.55 GiB total, 11.62 GiB free.
D: is Fixed (NTFS) - 17.71 GiB total, 15.67 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-00DEA0 - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 19.55 GiB - C:
\PARTITION1 - Installable File System - 17.71 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ozzie\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WENISCH-HOME
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ozzie
LOGONSERVER=\\WENISCH-HOME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 7 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0703
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ozzie\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ozzie\LOCALS~1\Temp
USERDOMAIN=WENISCH-HOME
USERNAME=Ozzie
USERPROFILE=C:\Documents and Settings\Ozzie
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Ozzie [I](admin)
Christopher (admin)
Mom
Joseph (admin)
Administrator (admin)
Guest (guest)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Agere Systems PCI Soft Modem --> agrsmdel
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
AT&TWorldNet Service --> C:\WINDOWS\WNBackup\WnClient70\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient70\install.log "AT&T WorldNet Service"
Canon Digital Camera USB WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\DC USB WIA\Uninst.isu" -c"C:\Program Files\Canon\DC USB WIA\SetupWia.dll"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\Ozzie\Application Data\HouseCall 6.6\uninstaller.exe"
Intel(R) 810/810E/815/815E/815EM Chipset Graphics Driver Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A708DD8-A5E6-11D4-A706-000629E95E20}\Setup.exe" -inteluninstall
Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Dreamweaver 4 and UltraDev 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\Setup.exe" mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Netscape (7.01) --> C:\WINDOWS\NSUninst.exe /ua "7.01 (en)"
OfotoNow --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2875A5F5-E613-4F99-9B47-8882C9DD24A5}\Setup.exe" -l0x9 anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}

-- Application Event Log -------------------------------------------------------

Event Record #/Type618 / Error
Event Submitted/Written: 10/25/2007 01:15:09 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 506157943.

Event Record #/Type617 / Error
Event Submitted/Written: 10/25/2007 01:15:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WinPFind3U.exe, version 1.0.42.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type616 / Error
Event Submitted/Written: 10/25/2007 10:19:18 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WinPFind3U.exe, version 1.0.42.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type615 / Error
Event Submitted/Written: 10/24/2007 10:20:41 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application , version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type614 / Error
Event Submitted/Written: 10/24/2007 10:19:40 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WinPFind3U.exe, version 1.0.42.0, hang module user32.dll, version 5.1.2600.1106, hang address 0x00047fef.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type26511 / Warning
Event Submitted/Written: 10/25/2007 01:54:11 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type26485 / Warning
Event Submitted/Written: 10/24/2007 03:36:07 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type26456 / Error
Event Submitted/Written: 10/24/2007 11:46:04 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type26455 / Error
Event Submitted/Written: 10/24/2007 11:46:04 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

Event Record #/Type26429 / Warning
Event Submitted/Written: 10/23/2007 06:58:59 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

-- End of Deckard's System Scanner: finished at 2007-10-25 15:05:26 ------------

Hope the information is helpful - owenisch

Rorschach112

2007-10-25, 22:00

It seems like WinPFind3 worked :)

Your logs are looking good. We are nearly done now.

Next download AVG Anti-Spyware from HERE (http://downloads.grisoft.cz/softw/70/filedir/inst/avgas-setup-7.5.0.50.exe) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Let me know how your PC is running then.

owenisch

2007-10-25, 23:18

Hi Rorschach,

I had read your latest post suggesting a run of the AVG Anti-Spyware. Using the link from your post I downloaded the setup program "avgas-setup-7.5.0.50.exe".

I got as far as double clicking on the desktop icon. The setup program started and a small square message window popped up titled "setup" , the message stated "64 Bit edition of Windows is not supported" and there only was an "OK" click available - I clicked it and nothing further happened. So, I couldn't proceed with the AVG setup.

As far I know I'm running a startard windows XP home edition, not sure how many bits is standard or if it was ever selectable.

Do you have any idea about this error?

Otherwise computer is still operating well on all functions I've used. All browsers are working IE, Netscape,...I haven't tried Firefox of late. No popups to report.

Thanks - owenisch

Rorschach112

2007-10-25, 23:45

No need to worry about that. Try this instead

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

owenisch

2007-10-25, 23:49

I checked the grisoft website. I seemed to have downloaded a software version avgas-setup-7.5.0.50.exe but upon checking their website I saw a listing for a trial software of version 7.5.1.43. I checked uder its specs. and I believe it said it supported the 64bit requirement.

Could your link have pointed to the incorrect download? Just wondering.

regards - owenisch

Rorschach112

2007-10-25, 23:53

Yep you seem to be right. Don't worry about that though, either program is good. You can just continue on with the Dr. Web Cureit scan.

owenisch

2007-10-26, 05:39

Hello Rorschach,

I am glad I didn't have to run this scan in safe mode as the characters get very large and all doesn't fit on the screen.

I ran the DR. Web CureIt without a problem. There were a few questionable items, one was an Ofoto program in two instances - probably a photo uploader program, but I think it ran in background to check USB port, didn't need it so I also deleted (although an ofoto icon was left on my desktop), the other I didn't need was some joke exe program so I selected delete. The other deletions were done by Dr. Web CureIt program.

As far as I can tell everything on the computer so far seems to be running well, no pop ups, no hanging programs or other symptoms. I do believe I can add some more system memory, as during the scans the system bumped up my virtual memory.

Here is copy of the report: Please let me know what you think. After all this I hope its clear. I'm am certainly pleased the operating system is still running well. Seemed like there were large number of viruses and adware removed since start of the testing.

RegUBP2b-Ozzie.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
OfotoNow.exe;C:\Program Files\Ofoto\OfotoNow;Probably WIN.WORM.Virus;Deleted.;
tsitra572.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.31817;Deleted.;
aevlwbbc.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Click.4739;Deleted.;
hsejqhod.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
miewejal.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
myhvybsj.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Click.4739;Deleted.;
ofuedmgq.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
sbcwlygq.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
b02FdUe1065.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\b02FdUe;Trojan.DownLoader.24715;Deleted.;
A0000005.exe;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.DownLoader.31817;Deleted.;
A0000006.exe;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.EzulaAd;Deleted.;
A0000007.exe;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.EzulaAd;Deleted.;
A0000008.exe;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.EzulaAd;Deleted.;
A0000009.exe;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.EzulaAd;Deleted.;
A0000010.dll;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.Click.4739;Deleted.;
A0000012.dll;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.Click.4739;Deleted.;
A0000019.exe;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP2;Trojan.DownLoader.24715;Deleted.;
A0001108.reg;C:\System Volume Information\_restore{2229AC3B-AEF9-45F8-BF8D-6E57ABBF3659}\RP3;Trojan.StartPage.1505;Deleted.;
OfotoNow.scr;C:\WINDOWS\system32;Probably WIN.WORM.Virus;Deleted.;
StressRelief.exe;D:\OZZIE - Old Computer\Drive C\Windows\Desktop;Joke.Puncher;Deleted.;

Regards - owenisch

Rorschach112

2007-10-27, 11:03

Hello owenisch

Yes Safe Mode is a strange place :)

Dr. Web Cureit report is looking good. If you could just post a new HijackThis log, then we can send you on your way I think.

owenisch

2007-10-27, 20:09

Hello Rorschach,

All still seems to be running well - no system hangups or pop ups noticable. As you requested I will paste a copy of the HiJackThis scan, note I have the program renamed to locator.exe.

PS I tried to find info about why the sp2 doesn't come up in my system information from MS but no luck. Don't know difference between what is hot fix and regular fix. In the add/remove programs section I see:
Windows XP Hotfix KB893803
Windows XP Hotfix SP2 [see Q329048 for more info]
Windows XP hotfix SP2 [see Q329115 for more info]
Windows XP hotfix SP2 [see Q329390 for more info]
Windows XP hotfix SP2 [see Q329834 for more info]

Here is HJT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:13 PM, on 10/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Locator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://netscape.aol.com/"); (C:\Documents and Settings\OZZIE\Application Data\Mozilla\Profiles\default\usep8q5q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OZZIE\Application Data\Mozilla\Profiles\default\usep8q5q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EDAD203-C9CD-4DD1-9AC6-EA40F50B684A} - (no file)
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/10d382795368a9ba3923/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5327 bytes

Thanks for your help - owenisch

Rorschach112

2007-10-28, 22:46

Well your logs are looking good, you seem to be malware free. Just run HijackThis once more, do a system scan only, and check this entry

O2 - BHO: (no name) - {0EDAD203-C9CD-4DD1-9AC6-EA40F50B684A} - (no file)

Close all windows except for HijackThis and click "Fix checked".

As for your SP2 problem, I had a friend give me some tips on fixing that(it's not a malware problem so had to get a Techies opinion).

Go to Start > Control Panel > Add or Remove Programs > Remove

Windows XP Hotfix KB893803
Windows XP Hotfix SP2 [see Q329048 for more info]
Windows XP hotfix SP2 [see Q329115 for more info]
Windows XP hotfix SP2 [see Q329390 for more info]
Windows XP hotfix SP2 [see Q329834 for more info]

And any other similar ones that have hotfix in it.

Then go here and download Service Pack 2
http://www.microsoft.com/windowsxp/sp2/default.mspx

owenisch

2007-10-29, 16:48

Hello Rorschach,

Thank you for all your help - I really appreciate your expertise and patience.

I followed your instruction running the Hijack This and removed the (no file name) address reference. That seemed to work fine.

Thanks for checking on the Sp2 hotfix update problem. Sounds too easy, as I didn't think those fixes were reversable or removalble. I'll carry this out perhaps after setting up a system restore point.

The only problem I noted after the malware removal was if a program like a browser hung perhaps from a website error or so and I ended the program in task manager it would ask if I wanted to report to MS. When I said yes it would seem to do the report and come up with another window asking if I wanted more information - saying yes to that IE would open up and display some suggestion from MS - like upgrade to SP2 or something like that. We'll I've noticed now the IE window will open but the message back from MS is missing - best I can guess its like MS is denied replying back through IE. This function used to operate ok - I can only assume maybe some permissions were changed with the virus removal operation. Have you run into something like this before?

Other than the above all is working well. Perhaps we are clear. I don't know much about who you are or where you're located but I sure do appreciate your assistance. It's truely kind of you to volunteer your time.

Thank you - owenisch

Rorschach112

2007-10-30, 07:16

Hello owenisch

Thanks for checking on the Sp2 hotfix update problem. Sounds too easy, as I didn't think those fixes were reversable or removalble. I'll carry this out perhaps after setting up a system restore point.
That should work hopefully, but maybe not. We can try another solution after if that fails. That sort of area isn't my forte, but I had a friend help me out, so if you wish to try fix it if the first attempt fails, then let me know. Setting up a system restore point before you start is a very good idea though.

I've noticed now the IE window will open but the message back from MS is missing - best I can guess its like MS is denied replying back through IE. This function used to operate ok - I can only assume maybe some permissions were changed with the virus removal operation. Have you run into something like this before?
I haven't heard of this problem before, so is tough to find out what may be responsible. Any restrictions that were changed by malware, we have fixed, so I doubt that is responsible. It could be a problem with your version of Windows or the fact that they think you don't have SP2. I will ask a friend, but I don't imagine we will find a solution unfortunately.

Other than the above all is working well. Perhaps we are clear. I don't know much about who you are or where you're located but I sure do appreciate your assistance. It's truely kind of you to volunteer your time.
Good to hear your PC is working well. We are indeed clear ! I'm from Dublin, Ireland, a good bit away, doing my best to try and stop damage done by malware and viruses.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. Smile

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.