View Full Version : Virtumonde & Security Toolbar 7.1
mpmtrash
2007-11-06, 22:00
Hi - I would really be grateful if you could help. Spybot showed my PC infected with Virtumonde and Virtumonde.generic
My pc is also infected with Security Toolbar 7.1 showing in the IE toolbar.
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46:19, on 06/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WUSB54GPv4.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Allway Sync\bin\syncappw.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PerSono\perstray.exe
C:\WINDOWS\system32\tehgpumq.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gezumuyp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WUSB54GPv4] C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dc16a0a2] rundll32.exe "C:\WINDOWS\system32\ircptrvw.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
O4 - HKCU\..\Run: [Allway Sync] "C:\Program Files\Allway Sync\bin\syncappw.exe" -m
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173455364734
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\tehgpumq.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WUSB54GPv4SVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 11249 bytes
mpmtrash
2007-11-06, 22:01
Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 06, 2007 7:14:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/11/2007
Kaspersky Anti-Virus database records: 452453
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 63702
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:31:39
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11062007-131841.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\2B7572B3.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\67F53742.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\call256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\callmember256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\chat1024.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\chat512.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\index2.dat Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\profile16384.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\transfer256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\transfer512.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\user1024.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\user256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\user4096.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Skype\themillershomeskype\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\M M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\d.class-4addf044-2335b875.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\M M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-341220f7-5f003ed8.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\M M\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B2F02927-80EF-4356-A5C2-FB060807E27E} Object is locked skipped
C:\Documents and Settings\M M\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\History\History.IE5\MSHist012007110620071107\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\M M\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\M M\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{765B5B96-87D4-4354-BEBA-A8BEBD08C341}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
Rename HJT
Please open your Hijack This folder (C:\Program Files\Trend Micro\HijackThis)
Right click on Hijackthis.exe
Select Rename
Rename Hijack This to showme.exe
Double click showme
Click on the Do a system scan and save a log file button.
VundoFix
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
New HJT (showme) log
VundoFix log
mpmtrash
2007-11-07, 17:38
Hi Katana - I think one problem is solved but there may be another:
1. Security Toolbar has disappeared fom IE:eek:
2. However - I have a Windows Defender Warning showing a High risk called "BrowserModifier:Win32/Fotomoto
3. My IE homepage has changed
Any thoughts?
Many thanks
Martin
My two logs:
showme log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:20:48, on 07/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\tehgpumq.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WUSB54GPv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Allway Sync\bin\syncappw.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\showme.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {05F845E2-1102-4394-B234-28492F3BE487} - C:\WINDOWS\system32\gebcc.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: {54e0ddc3-53c4-d1f9-4ca4-dd853f7e4e45} - {54e4e7f3-58dd-4ac4-9f1d-4c353cdd0e45} - C:\WINDOWS\system32\crojijtv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gezumuyp.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gezumuyp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WUSB54GPv4] C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dc16a0a2] rundll32.exe "C:\WINDOWS\system32\xraelcmc.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
O4 - HKCU\..\Run: [Allway Sync] "C:\Program Files\Allway Sync\bin\syncappw.exe" -m
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173455364734
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: gezumuyp - C:\WINDOWS\SYSTEM32\gezumuyp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\tehgpumq.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WUSB54GPv4SVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 12370 bytes
mpmtrash
2007-11-07, 17:40
vundofix log:
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 12:54:43 06/11/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 15:15:05 06/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 16:25:51 07/11/2007
Listing files found while scanning....
C:\WINDOWS\system32\gezumuyp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gezumuyp.dll
C:\WINDOWS\system32\gezumuyp.dll Has been deleted!
Performing Repairs to the registry.
Done!
mpmtrash
2007-11-07, 17:46
p.s. - I am still getting pop ups by the way... boo hoo hooo.... hope toi hear from you soon!
Different vundo files give different popups, we have removed one so another is now active :mad:
Fear not, we shall be victorious
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Download and Run ComboFix
Download Combofix from one of the two links below :
Download 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Download 2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
mpmtrash
2007-11-08, 15:20
Hi There,
Have done as instructed and the log is below. I seem to have Security Toolbar 7.1 back??!!! Anyhow - I have removed instance of Java and installed new as instructed. here is the log as requested. Many thanks:
ComboFix 07-11-08.1 - M M 2007-11-08 14:04:24.1 - NTFSx86
Running from: C:\Documents and Settings\M M\Local Settings\Temporary Internet Files\Content.IE5\7RJKLNFD\ComboFix[1].exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\M M\Desktop\Live Safety Center.lnk
C:\Documents and Settings\M M\Desktop\Online Security Guide.lnk
C:\Documents and Settings\M M\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\fcxsiidn.dll
C:\WINDOWS\system32\fircrlts.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gezumuyp.dllbox
C:\WINDOWS\system32\gkuavihn.dll
C:\WINDOWS\system32\jrvqvubl.dll
C:\WINDOWS\system32\npxcatdw.dll
C:\WINDOWS\system32\rpairwbj.dll
C:\WINDOWS\system32\sxlqxgxh.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.
2007-11-08 14:05 145,984 --a------ C:\WINDOWS\system32\krojdzrd.dll
2007-11-08 14:05 86,080 --a------ C:\WINDOWS\system32\ncbvhrod.dll
2007-11-08 14:04 145,984 --a------ C:\WINDOWS\system32\jvkdeahf.dll
2007-11-08 14:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 14:00 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-08 13:50 80,448 --a------ C:\WINDOWS\system32\gmxodppi.dll
2007-11-07 20:26 79,936 --a------ C:\WINDOWS\system32\mgfctpfm.dll
2007-11-07 19:57 79,936 --a------ C:\WINDOWS\system32\wrvwyscd.dll
2007-11-07 16:35 79,936 --a------ C:\WINDOWS\system32\wumgejgh.dll
2007-11-07 16:22 79,936 --a------ C:\WINDOWS\system32\grqdaupu.dll
2007-11-07 07:19 79,936 --a------ C:\WINDOWS\system32\crojijtv.dll
2007-11-06 20:53 81,472 --a------ C:\WINDOWS\system32\xqsymlym.dll
2007-11-06 17:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-06 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-06 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 16:42 81,472 --a------ C:\WINDOWS\system32\mayganqo.dll
2007-11-06 16:36 145,984 --a------ C:\WINDOWS\system32\cfuynabb.dll
2007-11-06 14:00 <DIR> d-------- C:\WINDOWS\pss
2007-11-06 13:18 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-06 13:18 81,472 --a------ C:\WINDOWS\system32\ncffjtrb.dll
2007-11-06 13:05 87,104 --a------ C:\WINDOWS\system32\rmmcaaxd.dll
2007-11-06 13:05 81,472 --a------ C:\WINDOWS\system32\imirhcsj.dll
2007-11-06 12:54 <DIR> d-------- C:\VundoFix Backups
2007-11-06 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 08:14 81,472 --a------ C:\WINDOWS\system32\ajksscgj.dll
2007-11-05 21:20 83,008 --a------ C:\WINDOWS\system32\uejqrqhq.dll
2007-11-05 09:11 36,352 --a------ C:\WINDOWS\system32\rqrpqqp.dll.vir
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-10-14 06:33 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 14:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-08 14:01 --------- d-----w C:\Program Files\Java
2007-11-08 13:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-08 13:59 --------- d-----w C:\Documents and Settings\M M\Application Data\Skype
2007-10-30 19:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 19:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-04 07:33 --------- d-----w C:\Program Files\Norton Internet Security
2007-10-04 05:27 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 05:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 05:27 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 05:27 --------- d-----w C:\Program Files\Symantec
2007-09-18 13:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 13:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 13:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 13:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 13:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 13:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 13:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 13:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 13:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-08 14:05 145984 --a------ C:\WINDOWS\system32\krojdzrd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d37627d2-4ca3-4f2f-9d21-e40a640dc3b5}]
2007-11-08 13:50 80448 --a------ C:\WINDOWS\system32\gmxodppi.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\krojdzrd.dll [2007-11-08 14:05 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 00:02]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 11:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-03 20:59]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15]
"WUSB54GPv4"="C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 08:19]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" []
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" []
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"dc16a0a2"="C:\WINDOWS\system32\ncbvhrod.dll" [2007-11-08 14:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 01:24]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2004-10-12 22:19]
"PerSonoCall"="C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" [2004-12-09 11:03]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Iomega Automatic Backup"="C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe" []
"Allway Sync"="C:\Program Files\Allway Sync\bin\syncappw.exe" [2007-01-25 14:36]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-25 10:04:45]
Perstray.lnk - C:\Program Files\PerSono\perstray.exe [2006-12-09 14:07:54]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\krojdzrd]
krojdzrd.dll 2007-11-08 14:05 145984 C:\WINDOWS\system32\krojdzrd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcc.dll
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;C:\WINDOWS\system32\DRIVERS\uacflt.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R2 WUSB54GPv4SVC;WUSB54GPv4SVC;"C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GPv4.exe"
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys
S3 WUSB54GPV4SRV;Wireless-G Portable USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
*Newly Created Service* - COMHOST
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 14:01:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-21 20:19:31 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - M M.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-11-08 14:08:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 14:11:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-08 14:13:13 - machine was rebooted
.
--- E O F ---
You are running ComboFix from Temporary Internet Files
Please either move it to your desktop, or download a fresh copy to your desktop
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\WINDOWS\system32\krojdzrd.dll
C:\WINDOWS\system32\ncbvhrod.dll
C:\WINDOWS\system32\jvkdeahf.dll
C:\WINDOWS\system32\gmxodppi.dll
C:\WINDOWS\system32\mgfctpfm.dll
C:\WINDOWS\system32\wrvwyscd.dll
C:\WINDOWS\system32\wumgejgh.dll
C:\WINDOWS\system32\grqdaupu.dll
C:\WINDOWS\system32\crojijtv.dll
C:\WINDOWS\system32\xqsymlym.dll
C:\WINDOWS\system32\mayganqo.dll
C:\WINDOWS\system32\cfuynabb.dll
C:\WINDOWS\system32\ncffjtrb.dll
C:\WINDOWS\system32\rmmcaaxd.dll
C:\WINDOWS\system32\imirhcsj.dll
C:\WINDOWS\system32\ajksscgj.dll
C:\WINDOWS\system32\uejqrqhq.dll
C:\WINDOWS\system32\rqrpqqp.dll.vir
C:\WINDOWS\system32\gebcc.dll
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d37627d2-4ca3-4f2f-9d21-e40a640dc3b5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dc16a0a2"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\krojdzrd]
Save this as CFScript.txt and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Kaspersky Online Scanner .
Go Here http://www.kaspersky.com/virusscanner
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Please post the report in your reply along with the new ComboFix log.
mpmtrash
2007-11-08, 20:36
Hi - Have done it with a couplke of problems on the way (couldnt get into IE without actioning a "Norton Phishing Filter" malware option box and it took 3 attempts to get the Kaspersky definitions to dowload but here are the results (Security toolbar 7.1 has gone again):
CF Script Report
ComboFix 07-11-08.1 - M M 2007-11-08 16:42:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.439 [GMT 0:00]
Running from: C:\Documents and Settings\M M\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\M M\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\ajksscgj.dll
C:\WINDOWS\system32\cfuynabb.dll
C:\WINDOWS\system32\crojijtv.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gmxodppi.dll
C:\WINDOWS\system32\grqdaupu.dll
C:\WINDOWS\system32\imirhcsj.dll
C:\WINDOWS\system32\jvkdeahf.dll
C:\WINDOWS\system32\krojdzrd.dll
C:\WINDOWS\system32\mayganqo.dll
C:\WINDOWS\system32\mgfctpfm.dll
C:\WINDOWS\system32\ncbvhrod.dll
C:\WINDOWS\system32\ncffjtrb.dll
C:\WINDOWS\system32\rmmcaaxd.dll
C:\WINDOWS\system32\rqrpqqp.dll.vir
C:\WINDOWS\system32\uejqrqhq.dll
C:\WINDOWS\system32\wrvwyscd.dll
C:\WINDOWS\system32\wumgejgh.dll
C:\WINDOWS\system32\xqsymlym.dll
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\M M\Desktop\Live Safety Center.lnk
C:\Documents and Settings\M M\Desktop\Online Security Guide.lnk
C:\Documents and Settings\M M\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\ajksscgj.dll
C:\WINDOWS\system32\cfuynabb.dll
C:\WINDOWS\system32\crojijtv.dll
C:\WINDOWS\system32\gmxodppi.dll
C:\WINDOWS\system32\grqdaupu.dll
C:\WINDOWS\system32\imirhcsj.dll
C:\WINDOWS\system32\jvkdeahf.dll
C:\WINDOWS\system32\krojdzrd.dll
C:\WINDOWS\system32\krojdzrd.dllbox
C:\WINDOWS\system32\mayganqo.dll
C:\WINDOWS\system32\mgfctpfm.dll
C:\WINDOWS\system32\ncbvhrod.dll
C:\WINDOWS\system32\ncffjtrb.dll
C:\WINDOWS\system32\rmmcaaxd.dll
C:\WINDOWS\system32\rqrpqqp.dll.vir
C:\WINDOWS\system32\uejqrqhq.dll
C:\WINDOWS\system32\wrvwyscd.dll
C:\WINDOWS\system32\wumgejgh.dll
C:\WINDOWS\system32\xqsymlym.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.
2007-11-08 14:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 14:00 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-06 17:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-06 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-06 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 14:00 <DIR> d-------- C:\WINDOWS\pss
2007-11-06 13:18 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-06 12:54 <DIR> d-------- C:\VundoFix Backups
2007-11-06 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-10-14 06:33 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-08 16:31 --------- d-----w C:\Documents and Settings\M M\Application Data\Skype
2007-11-08 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-08 14:01 --------- d-----w C:\Program Files\Java
2007-10-30 19:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 19:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-04 07:33 --------- d-----w C:\Program Files\Norton Internet Security
2007-10-04 05:27 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 05:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 05:27 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 05:27 --------- d-----w C:\Program Files\Symantec
2007-09-18 13:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 13:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 13:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 13:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 13:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 13:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 13:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 13:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 13:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 00:02]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 11:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-03 20:59]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15]
"WUSB54GPv4"="C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 08:19]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" []
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" []
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 01:24]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2004-10-12 22:19]
"PerSonoCall"="C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" [2004-12-09 11:03]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Iomega Automatic Backup"="C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe" []
"Allway Sync"="C:\Program Files\Allway Sync\bin\syncappw.exe" [2007-01-25 14:36]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-25 10:04:45]
Perstray.lnk - C:\Program Files\PerSono\perstray.exe [2006-12-09 14:07:54]
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;C:\WINDOWS\system32\DRIVERS\uacflt.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R2 WUSB54GPv4SVC;WUSB54GPv4SVC;"C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GPv4.exe"
R3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys
S3 WUSB54GPV4SRV;Wireless-G Portable USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
*Newly Created Service* - COMHOST
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 16:32:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-21 20:19:31 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - M M.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-11-08 16:43:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 17:00:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-08 17:01:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 14:13
.
--- E O F ---
mpmtrash
2007-11-08, 20:37
Kaspersky report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 08, 2007 7:30:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/11/2007
Kaspersky Anti-Virus database records: 454863
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 63048
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:18:41
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11062007-131841.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-08_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9DCFC97A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\M M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\d.class-4addf044-2335b875.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\M M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-341220f7-5f003ed8.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\M M\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{077418BD-162E-4423-9AF6-71CA520348F5} Object is locked skipped
C:\Documents and Settings\M M\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\History\History.IE5\MSHist012007110820071109\index.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\M M\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\M M\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\M M\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\M M\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP292\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
That is looking a lot better :)
How are things running now ?
Download AVG Anti-Spyware
Please download AVG Anti-Spyware (http://www.ewido.net/en/download/). to your Desktop or to your usual Download Folder.
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Do not automatically generate reports
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Please post the AVG log along with a fresh HJT log in your reply.
mpmtrash
2007-11-08, 23:45
Hi - have done as requested. PC running much better now and ads have disappeared. One problem remains: When I open internet explorer I get fake Norton Internet Security messages eg about phishing which I have to click the "x" to close and then be able to access this or any other website.
Here are my logs:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 22:17:31 08/11/2007
+ Scan result:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\Documents and Settings\M M\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\d.class-4addf044-2335b875.class -> Not-A-Virus.Exploit.Java.Gimsh.a : Cleaned with backup (quarantined).
C:\Documents and Settings\M M\Cookies\m_m@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\M M\Cookies\m_m@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
::Report end
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19:54, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WUSB54GPv4.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Allway Sync\bin\syncappw.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Trend Micro\HijackThis\showme.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WUSB54GPv4] C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
O4 - HKCU\..\Run: [Allway Sync] "C:\Program Files\Allway Sync\bin\syncappw.exe" -m
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173455364734
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WUSB54GPv4SVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 11511 bytes
One problem remains: When I open internet explorer I get fake Norton Internet Security messages eg about phishing which I have to click the "x" to close and then be able to access this or any other website.
What makes you think they are fake ?
You have Symantec/Norton installed on your machine
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Perstray.lnk = ?
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
mpmtrash
2007-11-09, 07:36
Hi,
I assumed all pop up messages were fake until we got my machine clean - very cautious I guess!!!:red:
The Norton message asked if I wanted to make Norton my default Phishing protection application. I clicked yes and this message seems to have gone permanently now.
Thanks for all your help - my machine appears normal now:present:
Am I clean now? Is there anything I should use to protect myself in the future? eg eggtimer?
Many thanks
Martin
I assumed all pop up messages were fake until we got my machine clean - very cautious I guess!!!:red:
Cautious -- maybe. .Wise ----Definitely :)
Can I have a last HJT please for one final look.
K'
mpmtrash
2007-11-09, 11:09
Hi - Here is the HJT log...Look ok?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:49, on 09/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WUSB54GPv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Allway Sync\bin\syncappw.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\showme.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WUSB54GPv4] C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe
O4 - HKCU\..\Run: [Allway Sync] "C:\Program Files\Allway Sync\bin\syncappw.exe" -m
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173455364734
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WUSB54GPv4SVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 11403 bytes
The only other item that gives me pause is mysearch.myway.
For some reason Dell decide to install this as default on their machines.
You are running MyWebSearch (or MyBar). Although not technically malware, it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar (http://toolbar.google.com/T4/). My Web Search also known as the My Way Speedbar is the Internet Explorer toolbar part of the Fun Web Products suite of utilities such as Smiley Central, Cursor Mania, My Mail Stationary, My Mail Signature, PopSwatter, Popular Screensavers, and the My Way website portal. The toolbar allows easy access to search engine results and a 404 Error Redirector called My Total Search among other things to your browser. This is not to be confused with the IBIS Web Search toolbar. MyWay is a search toolbar that installs into Internet Explorer and Netscape Navigator, adding search functions and popup blocking. It reports your surfing activity anonymously to MyWay affiliates, helping them to serve targeted advertising to you. As a BHO, MyWay shares the memory that your browser uses, detects events, creates additional windows while you are surfing, and monitors your activity. When a new browser window is opened, MyWay will send a configuration request about 5k in size.
Although none of these products claim to be spyware, they do slow your computer down. All of the products use cookies to track usage, although they claim not to use cookies or anything else to track personally identifiable information. That being said, I would still recommend uninstalling the toolbar and other Fun Web Products if you feel your computer runs better without them. They are found by most spyware removal tools such as Spybot Search and Destroy, Lavasoft Ad-Aware, although they are deemed spyware safe by Aluria Software who created a Spyware SAFE Certification.
If you are not bothered then you can leave it,
If you want it removed I can give instructions to do so.
mpmtrash
2007-11-09, 16:15
Hi - Yes I would really appreciate help in removing this from my PC. I gont use the google toolbar either - would it be safer to remove this too?
Regards
Martin
Google is safe enough, but if you don't use it you may as well ditch it :)
It should be listed in Add/Remove Programs
Now then, myway may be a little complex so if you are unsure just yell out :)
Go to this site http://www.billsway.com/vbspage/ and scroll down (the download programs are listed in alphabetical order) to:
Registry Search Tool
Download, unzip and run RegSrch.vbs
Copy and paste this character string into the dialog box: My Way
After a while a prompt will come up. Click OK to write the results to notepad.
Paste the contents back here
mpmtrash
2007-11-10, 07:22
Hi,
Did the registry search for My Way but the result was no instances found.
Also went to add/remove programs but could not see google in the program list??!
Any toughts?
Thanks
Any thoughts?
Yes --- Very curious :)
Try LocalPackage as the search term
mpmtrash
2007-11-10, 22:42
Found myway - I has a space in it before.... here is the log:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "myway" 10/11/2007 21:40:51
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
@="C:\\Program Files\\MyWaySA\\SrchAsDe\\deSrcAs.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}]
@="MyWay Search Assistant"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
@="C:\\Program Files\\MyWaySA\\SrchAsDe\\deSrcAs.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}\ProgID]
@="MyWaySearchAssistantDE.Auxiliary.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}\VersionIndependentProgID]
@="MyWaySearchAssistantDE.Auxiliary"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32]
@="C:\\Program Files\\MyWaySA\\SrchAsDe\\deSrcAs.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8829557EB322C354F96043E0B32EE193]
"ProductName"="MyWay Search Assistant"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWaySearchAssistantDE.Auxiliary]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWaySearchAssistantDE.Auxiliary\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWaySearchAssistantDE.Auxiliary\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWaySearchAssistantDE.Auxiliary\CurVer]
@="MyWaySearchAssistantDE.Auxiliary.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWaySearchAssistantDE.Auxiliary.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWaySearchAssistantDE.Auxiliary.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4D25F920-B9FE-4682-BF72-8AB8210D6D75}\1.0\0\win32]
@="C:\\Program Files\\MyWaySA\\SrchAsDe\\deSrcAs.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4D25F920-B9FE-4682-BF72-8AB8210D6D75}\1.0\HELPDIR]
@="C:\\Program Files\\MyWaySA\\SrchAsDe\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\MyWaySA\\SrchAsDe\\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\MyWaySA\\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\97E4605D8365B904E94A77F1E1BC2AF8]
"8829557EB322C354F96043E0B32EE193"="C:\\Program Files\\MyWaySA\\SrchAsDe\\deSrcAs.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8829557EB322C354F96043E0B32EE193\InstallProperties]
"Publisher"="MyWay"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8829557EB322C354F96043E0B32EE193\InstallProperties]
"URLInfoAbout"="http://info.myway.com/index/id/terms.html"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8829557EB322C354F96043E0B32EE193\InstallProperties]
"DisplayName"="MyWay Search Assistant"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7559288-223B-453C-9F06-340E3BE21E39}]
"Publisher"="MyWay"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7559288-223B-453C-9F06-340E3BE21E39}]
"URLInfoAbout"="http://info.myway.com/index/id/terms.html"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7559288-223B-453C-9F06-340E3BE21E39}]
"DisplayName"="MyWay Search Assistant"
[HKEY_LOCAL_MACHINE\SOFTWARE\MyWaySA]
[HKEY_LOCAL_MACHINE\SOFTWARE\MyWaySA\SearchAssistantDE]
[HKEY_LOCAL_MACHINE\SOFTWARE\MyWaySA\SearchAssistantDE]
"Dir"="C:\\Program Files\\MyWaySA\\SrchAsDe\\"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.dell.co.uk/myway"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"First Home Page"="http://www.dell.co.uk/myway"
[HKEY_USERS\S-1-5-21-1713403217-1342212015-937822065-1006\Software\Microsoft\Internet Connection Wizard]
"ShellNext"="http://www.dell.co.uk/myway"
[HKEY_USERS\S-1-5-21-1713403217-1342212015-937822065-1006\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK"
[HKEY_USERS\S-1-5-21-1713403217-1342212015-937822065-1006\Software\MyWaySA]
[HKEY_USERS\S-1-5-21-1713403217-1342212015-937822065-1006\Software\MyWaySA\SearchAssistantDE]
[HKEY_USERS\S-1-5-21-1713403217-1342212015-937822065-1006\Software\MyWaySA\SearchAssistantDE]
"ABS"="http://mysearch.myway.com/jsp/cfg_redir2.jsp?id=DK&psa=U9HAtrNH4f_fOgGoV3DWpA&url=http://search.myway.com/search/barsearch.jhtml&st=kwd&ptnrS=DK&PG=SEASUSH&SEC=ABMANY&searchfor="
[HKEY_USERS\S-1-5-21-1713403217-1342212015-937822065-1006\Software\MyWaySA\SearchAssistantDE]
"DES"="http://mysearch.myway.com/jsp/cfg_redir2.jsp?id=DK&psa=U9HAtrNH4f_fOgGoV3DWpA&url=http://search.myway.com/search/barsearch.jhtml&st=dns&ptnrS=DK&PG=SEASUSH&SEC=DNS&searchfor="
[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.dell.co.uk/myway"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main]
"First Home Page"="http://www.dell.co.uk/myway"
Ok, that's good :)
Now I need you to use the same search tool, but this time search for
LocalPackage
(Honest, we are getting somewhere :laugh: )
mpmtrash
2007-11-11, 07:31
Here we go.....
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "LocalPackage" 11/11/2007 06:29:46
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\00095BFF74BECB5448A2FEBFAD36C549]
"LocalPackage"="C:\\WINDOWS\\Installer\\b1a34.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\3574AFE896173CC42AB8A061348B3AB9]
"LocalPackage"="C:\\WINDOWS\\Installer\\27584a.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\37A494A313706A847B50935683F2686D]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c632.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\47D5B7190DD12874B9CCDFE6E20DF957]
"LocalPackage"="C:\\WINDOWS\\Installer\\11262d.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\48D7511FDD7382A428582E0515459A06]
"LocalPackage"="C:\\WINDOWS\\Installer\\2e8e89.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\4937F697BE364874B9446EFBCE5C79CD]
"LocalPackage"="C:\\WINDOWS\\Installer\\2da07b.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\49CFBB116E0E0174AAF67713079678CC]
"LocalPackage"="C:\\WINDOWS\\Installer\\50ade8.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\55C2C217CD64E794A96E71FDD44519BE]
"LocalPackage"="C:\\WINDOWS\\Installer\\2e8eb2.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\58CABFA223F8BDE4FA656D2893ADFFD7]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c6ff.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\7291702F096CC894DBCBC0980AAFCBA5]
"LocalPackage"="C:\\WINDOWS\\Installer\\516ac6.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\75F24757AB1346E4A86884DCBDD6EFF4]
"LocalPackage"="C:\\WINDOWS\\Installer\\2e8e77.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\7FCDE114D557E4147AB4D3DC56385F98]
"LocalPackage"="C:\\WINDOWS\\Installer\\1599f.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\8A40193A0F141DB4F8D0AC0169B93BD3]
"LocalPackage"="C:\\WINDOWS\\Installer\\11261b.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\92B139F9099A8A74CAC13CAA075ABBF5]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c67a.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\97943EE65530BE447816123DB2C14EBA]
"LocalPackage"="C:\\WINDOWS\\Installer\\67aa77.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\9DBB284524015834682647FA646158C6]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c6ed.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\A2CDF4113BCB74A41BD8D1A0CFD920C0]
"LocalPackage"="C:\\WINDOWS\\Installer\\2e8ea0.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\A9E0D1D8997C82D4E99200161D6EE634]
"LocalPackage"="C:\\WINDOWS\\Installer\\11260a.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\ABA8E19640D49834788396B25F4E625C]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c668.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\AF33030005256AB4497B4886F6884150]
"LocalPackage"="C:\\WINDOWS\\Installer\\50add6.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\B37B45BCCE35B2D4E8A1CAA8CA9FB6B3]
"LocalPackage"="C:\\WINDOWS\\Installer\\45958a.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\BB0A8EBF5879962498AB4E708E889FB6]
"LocalPackage"="C:\\WINDOWS\\Installer\\182239.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\BB38B80DA31C8A04B9CBC685A1CFBAC2]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c6c9.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\BC6FC0DDCBDA26043BC05DB3128AA3BF]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c656.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\D06EDE0F96DB153418AB07E61571F9E7]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c6db.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\D2CAF3C3C73891C49AB0068C621BA5A1]
"LocalPackage"="C:\\WINDOWS\\Installer\\2e8e65.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\D326130434CA14B40AFD857479196848]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c644.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\D5A1F02787E2BAF4D99C74CA42FBEBF4]
"LocalPackage"="C:\\WINDOWS\\Installer\\50adfa.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\D78E1F6C1E3F478479CE8FD7BAD68687]
"LocalPackage"="C:\\WINDOWS\\Installer\\67aa64.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\D965EB20DBB715449A550CDCBF60591F]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c6b5.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\E97FFC186E40CB144BAF2DFFD45EA851]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c6b6.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\F498D7EF7BACEF540865443F52234A30]
"LocalPackage"="C:\\WINDOWS\\Installer\\3e8129.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\F81D2D10124B54D46986B33C209AA1DC]
"LocalPackage"="C:\\WINDOWS\\Installer\\62c68c.msp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0B5EE0CABF8AA0D4FA30E2CD15F848B1\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bb2.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0B79C053C7D38EE4AB9A00CB3B5D2472\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\7506.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0CAE291463B632742B610D8EE67775CA\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bc2.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0E23E40C6140D434FA9B96967D309AFE\InstallProperties]
"LocalPackage"="c:\\WINDOWS\\Installer\\50adc5.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0F007175D9BDA3B40BD3531AB45B39F9\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\47c38a.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116B3484BCF88244C832130D5AAE1E46\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b820.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\15CC353DD034F6C4B9E72500D31A0EA5\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b825.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\164AFE3E38BEB3C4C974C2D1850A5155\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b82a.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1FFEDB53016A65940AD05154C3113659\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6c69.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\29FE602138E29584CABC02843CBCD76A\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bd1.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3D6B2B85FF5E61D478CA25CC75717C6C\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6c72.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\41858184422Aa74418AD17DB0285E0B1\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b81b.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4757561245DB2A844905BE302B7CCF92\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bab.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EAC60FA431C1B446B9941BFBD36DB73\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bc6.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4F56621B39E44BA47BCF7350B3256492\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bdf.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4F57260AB42358E4596E782BDC274910\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\12a2e5.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\55716C7B84BD300449F8D343BDE8FA96\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b7e2.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\568774731F3A2774DA34AACFB6FC9FF9\InstallProperties]
"LocalPackage"="c:\\WINDOWS\\Installer\\1c0eb3.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5B397F38FBB8DF248A6A68C83B2EAAAE\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\68ef.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5B3B5BFE082A52E4EBC136E4FE3EC2B1\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b7f2.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5EAD28C50BE647342945EB3391ABE428\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\83ac46.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5F374570A648B844CB3B01A41A672050\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6be6.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\61DC2AA5F6073f14785CB2A530F1B2B3\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b7f7.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA7DA73301B7447A0000000000\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\53befa.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\69A5CA7BCB8CC1346B16720A7918FD8A\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6c6d.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6C356278CDD5B8847B2CFCE9D439535E\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\2abaff.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6C7CD9CB246FCDD489507B0CCC1303DE\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\eb1f9.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\74237FAFBA4533F48BE4AE3DC6F3C378\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\1e4ac6.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7A54B78467022644EBFF0513669D0E0E\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\8e930.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\87627777F71810443910DED1108AAD65\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b84c.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8829557EB322C354F96043E0B32EE193\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6c65.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\1dafc.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8D60D467ED8DE1141A8C9D9E83F0A848\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6b7e.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040211900063D11C8EF10054038389C\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\2cdaa9.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9399EE5EF9522ED40832C5941EA6F434\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b82f.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9B694C87B6A52964C8E2FAFF3CE49416\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bca.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9F2FDFE0D6387BE43AD230B83D1FBFA2\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\2e8e8f.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A266C3D16C6F76747A88A74AA3A93171\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bbe.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9C807BA8C799CA498B9BD2F62CA3928\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bd8.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAB3CC87A2ED4BF4F8BB4EADDD2C7674\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\1508a8d.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C2667F47BD1BE9848ACA700AB64279B8\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6b9d.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C6B56403F35B1A94E9AB3A1F78DA05E2\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\6bed.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\CBA921A9A35A90242AE15DEDFD7BCC8A\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b7fc.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D24F5095F5F36194DA6A493A46A6EE67\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\68f6.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D9BD4ABD15EE44944A9189BAF121948C\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\855be.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DBC8D038866C2e949A962C2C0136230E\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b847.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\50c4.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E7DD42A510B7CA14DA8A1F7716773AAB\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\26e019.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\EE8A868315050BD4D86FF4B4A8890D38\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\2abb34.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F525BD4F689A94249BB8248A602615AC\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b834.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FE2DACC32FFC736428AAAAFB7320283D\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\5b7e8.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1713403217-1342212015-937822065-1006\Products\00F73955B96A9404D8A3C1779247B2F6\InstallProperties]
"LocalPackage"="C:\\WINDOWS\\Installer\\fd368.msi"
Navigate to
C:\WINDOWS\Installer\6c65.msi
right-click the entry and select the uninstall option.
Let me know how you get on :)
mpmtrash
2007-11-11, 21:03
Hi - I cant see the Installer folder in the windows folder???!!!
Show All Files And Folders
Now you need to show all files and folders
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Now you should be able to see it :)
mpmtrash
2007-11-12, 09:12
Hi - Thanks - it has uninstalled successfully. However - if I put a wrong domain name in the web address now it goes to gooogle.com and comes up with search results there. Is this safe also? I do have a google search box in my toolbar of IE but I do not use it and am happy to uninstall Google completely.
Glad to hear it has gone nicely :)
Google is safe enough :bigthumb:
Congratulations your logs look clean :D
Let's see if I can help you keep it that way
First lets tidy up :D
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.
Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.
Also PLEASE read this article
So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)
If you can see a program in the must have section that you have never seen or used then get it!
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
mpmtrash
2007-11-14, 03:38
Thanks. I have ow protected my computer - thanks for all your help much appreciated. You are an :angel::bigthumb:
Feel free to archive this thread. Thanks once again.:present: