Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
10 replies to this topic

#1 trudger

trudger

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 03 October 2005 - 10:00 PM

I sure hope someone can help me. For the past couple of weeks, I've been wrestling a most irritating problem. It concerns a piece of spyware/adware called VirtuMonde (Symantec calls it "Adware.Virtumonde"). In the interest of providing a comprehensive picture, this posting will be rather lengthy. I hope that doesn't prove discouraging to folks who might be able to give me some help.

Here's some background. I bought this computer at the end of December 2004. I keep current on all Windows updates. I run Norton Anti-Virus, Ad-Aware (set on deep scan), Spybot S&D, SpywareBlaster, Zone Alarm (firewall), and Popup Killer. I do virus scans daily, spyware scans weekly (unless I suspect something has happened that a spyware scan might catch), and keep Popup Killer runnng in the background at all times. All of my virus pattern and spyware/adware definitions are kept current, and my firewall keeps me in stealth mode. I run WinXP Home SP2 on a box with P4 3GHz, 200 GB HDD, 512 RAM/256 Video RAM. In the 10 years I've been accessing the Internet, no virus or malware has ever made it onto my hard drive until now.

This VirtuMonde abomination apparently got through all of my defenses, and has been throwing obnoxious popups in my face ever since. These popups are legitimate-looking Windows warning boxes saying that something horrible has been detected on my hard drive (You have a virus! You have spyware! Your registry has just blown up! Oh no!), and/or transporting me to actual web pages where I'm supposed to purchase remedies for the disaster that's just befallen me, telling me that if I don't, my entire life will dissolve into wreck and ruin.

Well, maybe not quite that bad, but the messages are clearly designed to scare poor, unsuspecting folks into buying lots of worthless junk. The programs being touted have official-sounding names: WinFixer, WinAnti-Spyware, and WinAntiVirus PRO 2005.

Some of the pop-ups present a "would you like to download WinWhatever?" screen, and even if you say "no" the thing starts downloading anyway (the download screen is not reflected in Task Manager, either). When this has happened I've rebooted from Task Manager, which is the only way I've been able to stop the downloads.

All of this started happening on Fri 09/16/2005 with Winfixer popups. I tried to add them to Popup Killer's blacklist, but every time I did both Popup Killer and the Winfixer popup froze. I did manage to ascertain that the URL to which the popup kept trying to whisk me is winfixer.com. The only way out of this frozen mess has been to reboot.

After the first popup ambush, I ran Ad-Aware and Spybot (both with most recent updates) and nothing was discovered. I also checked SpywareBlaster, which is supposed to catch things before they can land on my hard drive, and it was up to date. The Winfixer crap kept happening intermittently, and I kept getting rid of the screens.

Grasping at straws, I also added winfixer.com and every permutation I could think of using wildcards to my Restricted Sites list in IE6.0, and I cleaned out all of my temp and history files. This might have been overkill, but so be it.

On Sat 09/17/2005, the WinAntiSpyware popups started. Again, my anti-spyware scans came back clean. I added www.winantispyware.com etc. etc. to my Restricted Sites list, and again cleaned out all of my temp and history files.

The WinAntiSpyware crap has continued, and it's been joined by WinAntiVirus PRO 2005 (antispyware.antivirus.com; antispyware.winantivirus.com). I did the restricted site/clear temp/clear history routine with those, too.

I haven't seen any more Winfixer junk. I'm still getting WinAntiSpyware and WinAntiVirus PRO 2005 popups.

I tried using System Restore to take my machine back to a time before all of this started. I tried several restore points, but the program informed me that the restores were not possible. In the past, I've used System Restore without any problems.

Throughout all of this, my daily scans with Norton AntiVirus had been coming back clean. Until Fri 09/23/2005, that is. On that date, the NAV scan returned:

"Norton AntiVirus has found 0 infected file(s) and 1 at-risk file(s)."
Filename: rastapi.dll
Threat name: Adware.VirtuMonde
Action: Adware found
Status: At risk"

I was given the option to delete the file, which I tried to do. NAV informed me that "Delete failed." I then clicked on a link that was provided for further information on the problem. This took me to a Symantec web page. I followed all of the instructions I found there.

The following describes exactly what I did, and what happened. FYI, I have administrator privileges on my computer. I'm a home user, and I'm the only user.

(1) Made my user files private and password-protected
(2) Downloaded FixVundo.exe and FxVMonde.exe from the Symantec site (both are allegedly VirtuMonde removal tools)
(3) Unplugged my DSL modem
(4) Disabled System Restore
(5) I ran the removal tool called FixVundo.exe. Nothing was found to remove.
(6) Rebooted my computer
(7) I ran FixVundo.exe a second time, as instructed by Symantec. Again, nothing was found to remove.
(8) Rebooted computer again
(9) I ran FxVMonde.exe. Nothing was found to remove.
(10) I ran another full system virus scan (comprehensive file scanning). NAV again informed me:

"Norton AntiVirus has found 0 infected file(s) and 1 at-risk file(s)."
Filename: rastapi.dll
Threat name: Adware.VirtuMonde
Action: Adware found
Status: At risk

So, neither of these "removal tools" worked.

I then repeated all of the above steps -- just to be sure -- and got exactly the same results. NAV continues to reflect that I have Adware.VirtuMonde. But FixVundo.exe and FxVMonde.exe continue to indicate that I don't (there's nothing to remove). There is no way for me to tell which is correct.

FYI, I've left System Restore turned off. It would only be creating unusable checkpoints.

I've tried manually deleting, renaming, and corrupting the offending rastapi.dll file. I'm not permitted to do any of these things. I get a message saying the file is in use. Likewise, I'm unable to rename the folder in which it resides.

I've also tried to fix things manually, following Symantec's instructions for doing so. Symantec said to find and delete two registry entries that turned out not to be there:
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd

After executing all of the above, I ran Ad-Aware (deep scan) and Spybot using brand new updates that I'd just downloaded. Both scans came back clean.

I've since discovered a second hidden file in C:\WINDOWS\web that appears suspicious: ipatsar.ini. This file seems to be monitoring everything I do, and is continuously growing in size. It started out as 415 KB and is currently 418 KB. The "date modified" always reflects the current date/time, and continuously advances in one-minute increments even if I'm not online and my system is idle.

I've tried deleting ipatsar.ini. It immediately reappears in the C:\WINDOWS\web folder.

Regarding Adware.VirtuMonde, I find it interesting that according to Symantec, "This program must be manually installed or installed as a component of another program." Well, I haven't installed any new programs recently, either manually or otherwise.

Just for the heck of it, I decided to do the free online virus and security scans offered on the Symantec website. The virus scan came back "139744 files checked, 0 infected and 0 detected in memory." The security scan came back "Safe" in all five areas that were checked: Hacker Exposure, Windows Vulnerability Check, Trojan Horse Check, Antivirus Product Check, Virus Protection Update Check. Detailed results show the status of all ports to be "Stealth" (as usual).

I then ran yet another scan with my NAV program. I got the same song-and-dance about Adware.VirtuMonde being on my hard drive. Since I was getting conflicting information from Symantec, I sent a detailed email about it to Symantec Tech Support. I got a reply (I think it might have come from India) saying that I'd have to phone tech support and pay either $39.95 for automated support, or $69.95/$4.00 a minute (they give you a choice) for help from a real person. I find this pretty off-putting, so I went back to groping along on my own.

Out of curiosity, I decided to try a couple of free online scans offered by Panda Software -- one for viruses and one for security. The security scan went as expected. Just call me Stealthy. :thumbsup:

But the Panda virus scan not only turned up Virtumonde (which it said could not be removed), it found (and removed, thank you) something called Agent.AKJ, which was indicated as being a trojan. This Agent.AKJ has never shown up on any of my NAV scans. In fact, it isn't even listed in Symantec's most current virus pattern file. Obviously, either the Panda or NAV scans were wrong. I have no way of telling which.

I've done quite a bit of research on this VirtuMonde piece of crap, and a couple of sources say that along with being adware, it's also a keylogger. *Whatever* it is, I know one thing for sure: it's devious.

I've noticed that my CPU usage has started fluctuating wildly. I've been monitoring it using Task Manager at various times during a given session. I've done this both online and offline, and it doesn't seem to make much difference. The graph can be sitting at, say, 2% usage, then suddenly leap to 100% for a few seconds, then back down to 2%. Other times it will go from, say, 8% to 75% to 43% to 57%, and continue to fluctuate at the higher numbers for awhile before heading back down to a reasonable level. This happens even when I'm not actively working on anything and have no program other than Task Manager open. Methinks this is not normal, is it?

Okay, let's get down to what I've discovered about the rastapi.dll file that NAV keeps telling me is at risk. I've ascertained that the full name of this application extension file is Remote Access TAPI Compliance Layer. It appears to be connected to Windows startup. A search of my hard drive reveals *three* files named rastapi.dll. I believe *two* of them are legit.

I have Folder Options set in Control Panel to "Show hidden files and folders" and "Show encrypted or compressed NTFS files in color."

One instance of rastapi.dll resides in C:\WINDOWS\system32. A second instance, blue in color, resides in C:\WINDOWS\system32\dllcache. Both of these are 58 KB in size and were created on 08/07/2004 (before I bought the computer). Both also have properties that include, on the Version tab, "Company: Microsoft Corporation; File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158); Product Name: Microsoft Windows Operating System; Product Version: 5.1.2600.2180."

The *hidden* rastapi.dll file, residing in C:\WINDOWS\web, is 504 KB in size and was created on 08/31/2005. There is *no* Version tab, hence no further information is given. I believe this is a bogus file.

I've also started getting Data Execution Prevention warnings concerning Windows Explorer, saying that the program has been closed to help protect my computer. These warnings seem to happen at random. I don't know if this has anything to do with the other stuff that's been happening or not.

I've spent a ridiculous amount of time trying to figure out what the problem might be, all to no avail. It's become such a pain in the backside that I've been staying off the Internet as much as possible (I'm usually online at least 8 hours a day).

I'm posting a HijackThis Log in hopes that someone will be able to help me get this garbage out of my computer. I've noticed that rastapi.dll appears in the log twice, but ipatsar.ini is not reflected at all. I'd sure apprediate any help you could give me. Thanks very much!
______________________

Logfile of HijackThis v1.99.1
Scan saved at 10:29:52 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.hp.com/usa/buy/locator/home-hom...o&mtxb=2&mtxl=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\rastapi.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co...b?1104636162687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) -

http://liveca04.rightnowtech.com/7020-b369...l/java/RntX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rastapi - C:\WINDOWS\Web\rastapi.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by trudger, 03 October 2005 - 10:03 PM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 October 2005 - 08:01 AM

Hi trudger and Welcome to the Bleeping Computer!

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\Web\rastapi.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\Web\ipatsar.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\rastapi.dll

    O20 - Winlogon Notify: rastapi - C:\WINDOWS\Web\rastapi.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3 trudger

trudger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 08 October 2005 - 09:57 PM

Hey Cretemonster,

Thanks very much for your reply. Unfortunately, on the way to following your instructions I hit another snag. When I try to start my system in Safe Mode, something rather bizarre happens.

After I reboot, hit F8 and choose "Safe Mode" (that's plain old Safe Mode, not "with Networking" or "with Comand Prompt") a list of drivers is displayed that populates the entire screen (white typeface on black background). Then I get a black screen with "Safe Mode" reflected in all four corners, and across the top is reflected Microsoft Windows XP (Build number, etc.).

I then get a "Windows is Starting" screen, after which I'm taken to a "Click User Name" screen. After I do that, I'm taken to another black screen and get a message box that stays visible for about one second, so I'm unable to read it (all I know is that it has "Yes" and "No" buttons at the bottom).

After that disappears, I'm left on a screen that's identical to the one that appears after I initially choose Safe Mode -- black, with "Safe Mode" reflected in all four corners, and Microsoft Windows XP (Build number, etc.) across the top. Nothing else happens. No GUI, nothing. Just a black screen with white typeface and no way to navigate.

I'm obviously unable to accomplish anything from this screen. My only alternative has been to bring up Task Manager and reboot back into full Windows mode.

I've tried to find some clue about what's going on, but so far, I've come up empty. If you happen to know what might be wrong, I'd sure appreciate your help. Meanwhile, I'll keep looking. Thanks!

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 October 2005 - 04:33 AM

Thats OK,I just sorted one of these yesterday after an all day trial and error!

So I guess your lucky in that aspect!


Do you know exactly where you save the Vundo Fix,is it on the desktop or in another location?

#5 trudger

trudger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 09 October 2005 - 10:58 PM

I finally made it into Safe Mode, although it sure wasn't the Safe Mode I'm used to seeing. I managed to get the taskbar and five icons to display down the left-hand side of the desktop by clicking in as Administrator, waiting for the gone-in-a-nanosecond message box to appear and clicking "Yes" before it vanished, which was no small feat. (I still don't know what the message actually says).

Unfortunately, the icons that appeared were of no use, and the same ones showed up -- Recycle Bin, Software Repair Wizard. HP Total Care Services & Warranties, Help and Support, and Ad-Aware -- no matter how I arranged things on my desktop. This necessitated my moving the VundoFix folder from the desktop to C:\Documents and Settings\Administrator so I could access it. Once that was done, I was able to proceed with your instructions.

When HiJack This first opened, it displayed a blank window. So even though your instructions didn't say to do so, I ran a scan. This resulted in a bunch of files being displayed, but O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\rastapi.dll wasn't among them. I did find 020 - Winlogon Notify: rastapi - C:\WINDOWS\Web\rastapi.dll, which said "file missing." I placed a check mark by it anyway and clicked "Fix Checked."

Now, here is some good news: ActiveScan came back clean. Here are the results:

Scan finished
No viruses or other malicious software have been found!
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0
__________________________

Here's the Vundo Fix text file:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 136 'smss.exe'
Threads [140][144][148]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 228 'winlogon.exe'
Killing PID 228 'winlogon.exe'
Killing PID 228 'winlogon.exe'
Killing PID 228 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
__________________________

Here's a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:15 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/usa/buy/locator/home-hom...o&mtxb=2&mtxl=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Bho - {9B34BEAC-0610-4cad-81FC-22415BCD37B4} - C:\WINDOWS\system32\loqweaed.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104636162687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369...l/java/RntX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
________________________________

BTW, I've noticed the appearance of a new file in C:\WINDOWS\System32 by the name of loqweaed.dll. It's reflected as a BHO in the above HJT log. It was created while I was in the midst of the above activities, and it consists of gibberish (as did the two previous offending files). A Google search yields no hits (as did a search for ipatsar.ini). Please tell me that loqweaed.dll isn't anything bad. After having been dragged down the road by all of this for over three weeks, I'm worn out.

I'm hoping you'll be able to pronounce my system healed so I can go back to thinking that only the government is watching what I'm doing. :thumbsup: I'm also hoping this does the trick because the pop-ups being flung at me turned a little sleazy.

Thanks so much for all of your great help! Without it, this crap might have landed me in a loony bin. :flowers:

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2005 - 04:04 AM

Sorry for the delay during the board upgrades!


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode


Have HijackThis fix these

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop

O2 - BHO: Bho - {9B34BEAC-0610-4cad-81FC-22415BCD37B4} - C:\WINDOWS\system32\loqweaed.dll


Still in Safe Mode-> From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Restart Normal and have one more Online Scan here
http://support.f-secure.com/enu/home/ols.shtml

Save and Results!


Post back with a fresh HijackThis log and the reports from WinPfind and F-Secure!

#7 trudger

trudger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 10 October 2005 - 02:58 PM

I've done all of the tests, but I want to point out a few things before I get into the results.

After running HJT while in Safe Mode, the results reflected no HKCU entries prefaced by R1. The only HKCU entries I saw were prefaced by 04, and read as follows:

04-HKCU\..\Run:[ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe
04-HKCU\..\Run:[AVG7_Run]C:PROGRA~\Grisoft\AVG7\avgw.exe/RUNONCE

These look legit to me (but what do I know?), so I left them alone. I hope I did the right thing. I wonder why all of this junk keeps changing? With some of it, I feel as though I'm skidding along on the seat of my pants!

Anyway, I told HJT to fix all other entries you specified -- the four R1-HKLM entries, the one R0-HKLM entry, and the lovely 02-BHO:Bho - {blahblah} - C:\WINDOWS\system32\loqweaed.dll
________________________

Here is the WinFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 3/6/2001 5:35:46 PM 19968 C:\WINDOWS\SYSTEM32\HREF.OCX
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PEC2 9/17/2000 2:41:26 AM 11264 C:\WINDOWS\SYSTEM32\Line3D.ocx
PECompact2 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PEC2 3/6/2001 5:37:18 PM 13824 C:\WINDOWS\SYSTEM32\xFXSysTray.ocx

Checking %System%\Drivers folder and sub-folders...
UPX! 10/5/2005 10:26:02 PM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 10/5/2005 10:26:02 PM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 10/5/2005 10:26:02 PM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 10/5/2005 10:26:02 PM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/10/2005 1:35:34 PM S 2048 C:\WINDOWS\bootstat.dat
8/12/2005 8:18:12 PM H 51902 C:\WINDOWS\Help\CChat.GID
10/10/2005 1:27:42 PM H 31772 C:\WINDOWS\system32\vsconfig.xml
9/14/2005 9:23:52 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
10/10/2005 1:35:26 PM H 8192 C:\WINDOWS\system32\config\default.LOG
10/10/2005 1:35:46 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/10/2005 1:35:34 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/10/2005 2:40:32 PM H 163840 C:\WINDOWS\system32\config\software.LOG
10/10/2005 1:35:38 PM H 1028096 C:\WINDOWS\system32\config\system.LOG
9/14/2005 10:53:32 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
9/5/2005 3:42:50 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
9/5/2005 3:42:50 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
9/21/2005 1:55:08 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e754ff82-fd14-4472-b61d-cd55377ad385
9/21/2005 1:55:08 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/10/2005 1:34:42 PM H 6 C:\WINDOWS\Tasks\SA.DAT
10/2/2005 6:53:06 PM HS 7168 C:\WINDOWS\Web\Thumbs.db

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 4/6/2005 6:58:48 PM 294912 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 8/7/2004 3:37:00 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 4/1/2005 4:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 8/26/1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 4/9/2004 12:12:42 AM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Realtek Semiconductor Corp. 3/17/2005 11:43:34 AM 262144 C:\WINDOWS\SYSTEM32\RTSndMgr.CPL
Microsoft Corporation 8/4/2004 3:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 3:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 8/3/2004 9:45:16 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl
Intel Corporation 8/20/2004 4:53:06 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 7/15/2004 3:54:16 PM 270336 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\ALSNDMGR.CPL
Intel Corporation 8/3/2004 9:45:16 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/7/2004 3:03:42 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/7/2004 7:55:30 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/7/2004 4:52:32 PM 1410 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
8/7/2004 3:03:42 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/7/2004 7:55:30 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
= :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
hpsysdrv c:\windows\system\hpsysdrv.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
HPHUPD06 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
HPHmon06 C:\WINDOWS\system32\hphmon06.exe
KBD C:\HP\KBD\KBD.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
AGRSMMSG AGRSMMSG.exe
PS2 C:\WINDOWS\system32\ps2.exe
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
IgfxTray C:\WINDOWS\system32\igfxtray.exe
PopUpKiller C:\Program Files\PopUp Killer\PopUpKiller.EXE
UserFaultCheck %systemroot%\system32\dumprep 0 -u
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
SoundMan SOUNDMAN.EXE
AlcWzrd ALCWZRD.EXE
Alcmtr ALCMTR.EXE
VTTimer VTTimer.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
AVG7_Run C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\309731\Program\UPDATE~1.EXE -startup
item Updates from HP
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\309731\Program\UPDATE~1.EXE -startup
item Updates from HP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk
path C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup C:\WINDOWS\pss\HP Organize.lnkStartup
location Startup
command C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\DISPLA~1.EXE "-application" "core.hp.main/application.xml" "-appname" "eLife"
item HP Organize
path C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup C:\WINDOWS\pss\HP Organize.lnkStartup
location Startup
command C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\DISPLA~1.EXE "-application" "core.hp.main/application.xml" "-appname" "eLife"
item HP Organize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LoadMSvcmm
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Movielink User
hkey HKLM
command "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Movielink User
hkey HKLM
command "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sonic RecordNow!
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKCU
command
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKCU
command
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TeaTimer
hkey HKCU
command C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TeaTimer
hkey HKCU
command C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VTTimer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VTTimer
hkey HKLM
command VTTimer.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VTTimer
hkey HKLM
command VTTimer.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/10/2005 2:49:38 PM
_________________________

The F-Secure Online Scan discovered nothing, and here is all I was able to save in the way of results:

Finished: No viruses found

Scanned files: 122596

_________________________

In the latest HJT log, I've noticed that the four missing R1-HKCU files are back along with stuff I don't remember having seen. Logic dictates that I should maybe go back into Safe Mode and have HJT fix the four offending entries -- but I'm not going to do anything on my own, mainly because I don't know what I'm doing (big surprise). So I'll wait for your say-so before I take any action.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:27:31 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/usa/buy/locator/home-hom...o&mtxb=2&mtxl=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104636162687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369...l/java/RntX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
_________________________

I shall be standing by, awaiting your further instructions. Gratitude abounds for your continuing assistance!

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2005 - 05:17 PM

Search for and Delete if found

C:\WINDOWS\system32\loqweaed.dll<- That File!

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?

#9 trudger

trudger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 10 October 2005 - 07:32 PM

Okay -- I've searched for loqweaed.dll, but nothing turned up.

I already run SpywareBlaster which I keep up-to-date and which, BTW, did not stop the ridiculous mess that invaded my computer.

I did install the WinHelp2002 Hosts File.

You also mentioned disabling System Restore. I've had System Restore disabled thoughout my ordeal because it would only have been creating unusable restore points. Are you saying that it needs to stay disabled? Before all of this happened, I found it to be quite useful and would like to be able to use it again. But if you confirm that it should remain disabled, that's the way I'll leave it.

Now, what about those entries you had told me to fix using HJT, but that didn't show up until I ran the scan I posted in my last message? Should I fix them now? Here they are:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop

And what about the entry that I haven't seen previously? Is it okay? It's this one:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/usa/buy/locator/home-hom...o&mtxb=2&mtxl=2

Many thanks, again, for all of your help!

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2005 - 02:15 AM

All those entries can go,they really dont serve any purpose!

Good Call on System Restore,Now is the time to renable it and restart to create a new clean restore point!

You may find some extra information in those 3 little black links in my signature!

If you feel you ever need us again,you know where to find us!

#11 trudger

trudger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 12 October 2005 - 11:27 AM

Cretemonster, I just can't thank you enough! I never would have been able to deal with this frustrating mess without your help. Thank you, thank you!!

And now I'm off to get rid of the last of those entries, after which I plan to explore those links of yours. I'll also be hunting for better protection, as Ad-Aware, Spybot, SpywareBlaster, Zone Alarm and Norton Anti-Virus did nothing to protect me from this ordeal. I've already dumped Norton Anti-Virus for refusing to help me unless I paid them a lot of money -- I'm currently running AVG Anti-Virus (the non-free version) instead.

BTW, Microsoft has just released a bunch of critical updates for Windows XP, which I've already downloaded and installed. How ironic that WinXP SP2 is supposed to be the most secure version of Windows, yet this is the only time my machine has been compromised since I first got into computers with Windows 3.1. Go figure.

At the risk of sounding like a broken record, thanks again for your most excellent help!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users