Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected With Ursnif (hide_evr2.sys) Components


  • Please log in to reply
5 replies to this topic

#1 strinh808

strinh808

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 12 March 2007 - 11:58 PM

(I am posting a similar thread about this same problem but it's on a different computer, so please do not disregard this as a duplicate thread; I need two separate responses. Thanks).

Hello!

I am running Windows XP and although my computer has always had weird problems, I didn't run any type of scan until last night and discovered that there was a serious problem. PestPatrol found the following Ursnif-related files on my computer:

File: c:\windows\9129837.exe
File: c\windows\hide_evr2.sys
Key: hkey_current_user\software\microsoft\windows\currentversion.run
Key: hkey_local_machine\system\currentcontrolset\enum\root\legacy_hide_evr2
Key: hkey_local_machine\system\currentcontrolset\services\hide_evr2

I don't have the full version of PestPatrol so I couldn't use that to deal with the problem. Instead, I did everything in the preparation guide, and then re-ran a PestPatrol scan. This time, there was one of the five above components was still showing up:

Key: hkey_local_machine\system\currentcontrolset\enum\root\legacy_hide_evr2

What should I do at this point?

Thanks in advance!

-----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:15:26 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inboxdollars.com/members/?p=cash_surveys
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netpede.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netpede.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\AMITUO~1\LOCALS~1\Temp\{917D8BB2-5E94-44B1-A95F-6B2FF69AC760}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\Program Files\PDFtypewriter\PDFtypewriterie.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 AM

Posted 14 March 2007 - 06:39 PM

Hello strinh808 and welcome to the BC HijackThis forum. I don't see anything in te log but this is a rootkit which can hide itself. It also steals passwords so at this point I would not use this machine for any secure computing that requires passwords (on-line accounts of any kind).

Let's try a different scanner and see what we find. Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Start in Safe Mode Using the F8 method:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 strinh808

strinh808
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 15 March 2007 - 06:32 PM

Hi OldTimer,

First off, thanks so much for helping me out.

Here is the WinPFind3 log you requested:

WinPFind3 logfile created on: 3/15/2007 12:04:30 PM
WinPFind3U by OldTimer - Version 1.0.23 Folder = C:\Program Files\WinPFind3u\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

260632 Kb Total Physical Memory | 160784 Kb Available Physical Memory | 61.69% Memory free
640412 Kb Paging File | 585984 Kb Available in Paging File | 91.50% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60026368 Kb Total Space | 38976820 Kb Free Space | 64.93% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded


[Processes - Non-Microsoft Only]
winpfind3u.exe -> %ProgramFiles%\WinPFind3u\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.23.0 | Size = 313344 bytes | Modified Date = 3/11/2007 10:34:40 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 2/10/2006 7:54:36 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/3/2004 9:56:48 PM | Attr = ]
(MSCSPTISRV) MSCSPTISRV [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\MSCSPTISRV.exe -> Sony Corporation [Ver = 4.3.00.08302 | Size = 53337 bytes | Modified Date = 8/30/2005 3:00:50 PM | Attr = ]
(PACSPTISVR) PACSPTISVR [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\PACSPTISVR.exe -> Sony Corporation [Ver = 4.3.00.08302 | Size = 53337 bytes | Modified Date = 8/30/2005 2:55:18 PM | Attr = ]
(Panda Software Controller) Panda Software Controller [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PsCtrlS.exe -> Panda Software International [Ver = 2.02.02.00 | Size = 217088 bytes | Modified Date = 1/25/2007 1:33:34 PM | Attr = ]
(PAVSRV) Panda anti-virus service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PAVSRV51.EXE -> Panda Software International [Ver = 2, 1, 16, 0 | Size = 130560 bytes | Modified Date = 1/19/2007 2:52:34 PM | Attr = ]
(PSIMSVC) Panda IManager Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PsImSvc.exe -> Panda Software International [Ver = 2, 7, 50, 0 | Size = 102400 bytes | Modified Date = 1/18/2007 6:02:20 PM | Attr = ]
(SPTISRV) Sony SPTI Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\SPTISRV.exe -> Sony Corporation [Ver = 4.3.00.08302 | Size = 69718 bytes | Modified Date = 8/30/2005 2:49:34 PM | Attr = ]
(SSScsiSV) SonicStage SCSI Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\SSScsiSV.exe -> Sony Corporation [Ver = 3.3.00.09270 | Size = 69632 bytes | Modified Date = 9/27/2005 5:19:26 AM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Stopped] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75568 bytes | Modified Date = 1/8/2007 2:29:38 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
APVXDWIN -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\ApVxdWin.exe -> Panda Software International [Ver = 8.00.25.00 | Size = 321072 bytes | Modified Date = 1/25/2007 6:50:40 PM | Attr = ]
AtiPTA -> %System32%\atiptaxx.exe -> ATI Technologies, Inc. [Ver = 6.13.2523 | Size = 270336 bytes | Modified Date = 10/10/2001 3:59:26 PM | Attr = ]
CaISSDT -> %ProgramFiles%\CA\eTrust Internet Security Suite\caissdt.exe -> Computer Associates International, Inc. [Ver = Version 2.0.1.1 | Size = 165416 bytes | Modified Date = 4/21/2006 2:42:24 PM | Attr = ]
eTrustPPAP -> %ProgramFiles%\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe -> Computer Associates [Ver = 8, 0, 0, 3 | Size = 258048 bytes | Modified Date = 3/11/2007 12:23:58 PM | Attr = ]
HotKeysCmds -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 118784 bytes | Modified Date = 8/20/2004 3:51:14 PM | Attr = ]
IgfxTray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 155648 bytes | Modified Date = 8/20/2004 3:55:14 PM | Attr = ]
LanzarL2007 -> %SystemDrive%\DOCUME~1\AMITUO~1\LOCALS~1\Temp\{917D8BB2-5E94-44B1-A95F-6B2FF69AC760}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe -> File not found
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 8/28/2002 11:39:06 AM | Attr = ]
Samsung Common SM -> %SystemRoot%\Samsung\ComSMMgr\ssmmgr.exe -> File not found
SsAAD.exe -> %ProgramFiles%\Sony\SonicStage\SSAAD.exe -> [Ver = 3.3.00.09270 | Size = 81920 bytes | Modified Date = 9/27/2005 6:59:10 AM | Attr = ]
UserFaultCheck -> -> File not found
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 919280 bytes | Modified Date = 1/8/2007 2:29:40 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 3/30/2006 4:45:08 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 8:05:26 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
avldr -> %System32%\avldr.dll -> Panda Software International [Ver = 2, 1, 0, 2 | Size = 45056 bytes | Modified Date = 7/14/2006 1:46:12 PM | Attr = ]
igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3.0.0.3889 | Size = 344064 bytes | Modified Date = 8/20/2004 3:50:54 PM | Attr = ]
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.netpede.com/ ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Start Page -> http://www.netpede.com/ ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Start Page -> http://www.inboxdollars.com/members/?p=cash_surveys ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208} [HKLM] -> %ProgramFiles%\TechSmith\SnagIt 7\SnagItBHO.dll [HelperObject Class] -> TechSmith Corporation [Ver = 1.0.1 | Size = 49152 bytes | Modified Date = 6/17/2005 7:24:00 AM | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 1/12/2006 8:38:22 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Reg Data - Value does not exist] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 11/10/2005 1:22:10 PM | Attr = ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} [HKLM] -> %ProgramFiles%\TechSmith\SnagIt 7\SnagItIEAddin.dll [SnagIt] -> TechSmith Corporation [Ver = 1.0.6 | Size = 131072 bytes | Modified Date = 6/17/2005 7:24:00 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\npjpi150_06.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 69746 bytes | Modified Date = 11/10/2005 1:22:10 PM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 11/10/2005 1:22:10 PM | Attr = ]
{B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} -> %ProgramFiles%\PDFtypewriter\PDFtypewriterie.exe [ButtonText: PDFtypewriter] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&xport to Microsoft Excel -> -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{0718CBBB-4D43-4972-BE12-E7E00B6E417E} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
{16ACBFDB-1FEC-4F7B-852C-01F65E6B32A4} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
{90BA701F-32AE-48F0-9CDA-B16AF69E1556} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
{A3D689DB-0746-4641-8D27-0CBF07AF62EE} -> () ->
{A8DFAFF8-3A63-4BBF-BB00-DE87D5FE48BA} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
{F94BEFDF-6DE4-42E3-91E4-72678935BF5F} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
skype4com -> %CommonProgramFiles%\Skype\Skype4COM.dll -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 1/12/2007 12:50:48 PM | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Files/Folders - Created Within 30 days]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI -> [Ver = | Size = 0 bytes | Created Date = 3/11/2007 12:27:19 PM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75512 bytes | Created Date = 3/13/2007 9:22:59 AM | Attr = ]
avldr.dll -> %System32%\avldr.dll -> Panda Software International [Ver = 2, 1, 0, 2 | Size = 45056 bytes | Created Date = 3/13/2007 5:23:37 AM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Created Date = 2/18/2007 1:54:39 AM | Attr = ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796312 bytes | Created Date = 3/13/2007 9:22:44 AM | Attr = ]
odbcinst.cnt -> %System32%\odbcinst.cnt -> [Ver = | Size = 324 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
odbcinst.hlp -> %System32%\odbcinst.hlp -> [Ver = | Size = 37062 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
Odbcjet.cnt -> %System32%\Odbcjet.cnt -> [Ver = | Size = 6902 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
Odbcjet.hlp -> %System32%\Odbcjet.hlp -> [Ver = | Size = 170865 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
PAV -> %System32%\PAV -> [Folder | Created Date = 3/13/2007 5:24:09 AM | Attr = ]
pavcpl.cpl -> %System32%\pavcpl.cpl -> Panda Software [Ver = 1, 0, 1, 0 | Size = 49152 bytes | Created Date = 3/13/2007 5:23:51 AM | Attr = ]
PavCPL.dat -> %System32%\PavCPL.dat -> [Ver = | Size = 248 bytes | Created Date = 3/13/2007 5:26:09 AM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49404 bytes | Created Date = 3/13/2007 9:22:29 AM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 394160 bytes | Created Date = 3/13/2007 9:22:29 AM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 157424 bytes | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 104176 bytes | Created Date = 3/13/2007 9:22:31 AM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 272112 bytes | Created Date = 3/13/2007 9:22:31 AM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Created Date = 3/13/2007 9:22:44 AM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 472816 bytes | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 46832 bytes | Created Date = 3/13/2007 9:22:34 AM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 100080 bytes | Created Date = 3/13/2007 9:22:32 AM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Created Date = 3/13/2007 9:22:42 AM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Created Date = 3/13/2007 9:22:42 AM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Created Date = 3/13/2007 9:23:30 AM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Created Date = 3/13/2007 9:22:31 AM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 3/13/2007 9:22:32 AM | Attr = ]
PAVDRV51.SYS -> %System32%\drivers\PAVDRV51.SYS -> Panda Software International [Ver = 7.0.1.0 (av07_rtm.070117-1343) | Size = 71680 bytes | Created Date = 3/13/2007 5:26:10 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 3/15/2007 12:54:26 AM | Attr = R ]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 3/2/2007 7:39:24 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 3/15/2007 11:42:12 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 3/15/2007 11:46:26 AM | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 2/25/2007 5:59:28 PM | Attr = S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 3/1/2007 2:22:54 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 3/11/2007 12:22:14 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 3/13/2007 5:09:08 AM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 3/15/2007 11:14:58 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 3/15/2007 12:59:42 AM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 476 bytes | Modified Date = 3/2/2007 7:38:42 AM | Attr = ]
ODBCINST.INI -> %SystemRoot%\ODBCINST.INI -> [Ver = | Size = 4161 bytes | Modified Date = 3/2/2007 7:38:30 AM | Attr = ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI -> [Ver = | Size = 0 bytes | Modified Date = 3/11/2007 12:27:20 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 3/15/2007 12:53:34 AM | Attr = ]
RegisteredPackages -> %SystemRoot%\RegisteredPackages -> [Folder | Modified Date = 2/18/2007 2:02:20 AM | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 2/18/2007 10:03:30 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 3/13/2007 9:23:32 AM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 3/15/2007 11:41:02 AM | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 2/18/2007 2:07:12 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 2/18/2007 1:54:04 AM | Attr = ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [Ver = | Size = 316640 bytes | Modified Date = 2/18/2007 2:01:24 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 3/15/2007 11:45:28 AM | Attr = H ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 2/18/2007 1:56:52 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 3/14/2007 1:31:24 AM | Attr = ]
DirectX -> %System32%\DirectX -> [Folder | Modified Date = 2/18/2007 1:58:38 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 3/13/2007 3:16:20 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 3/15/2007 11:41:48 AM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 2/18/2007 1:54:40 AM | Attr = ]
PAV -> %System32%\PAV -> [Folder | Modified Date = 3/14/2007 3:06:14 PM | Attr = ]
PavCPL.dat -> %System32%\PavCPL.dat -> [Ver = | Size = 248 bytes | Modified Date = 3/13/2007 5:26:10 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 39992 bytes | Modified Date = 3/13/2007 5:28:02 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 311604 bytes | Modified Date = 3/13/2007 5:28:02 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 356120 bytes | Modified Date = 3/13/2007 5:28:00 AM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49404 bytes | Modified Date = 3/15/2007 11:43:04 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 3/15/2007 11:21:46 AM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 3/13/2007 9:32:26 AM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 3/13/2007 9:23:10 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
Thawte Consulting , -> %System32%\cpwmon2k.dll -> [Ver = | Size = 87800 bytes | Modified Date = 12/10/2006 8:31:12 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 11:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks, Inc. [Ver = 5.2.1.1338 | Size = 716800 bytes | Modified Date = 10/26/2004 12:38:24 PM | Attr = ]
PTech , -> %System32%\igfxhcsy.lhp -> [Ver = | Size = 59914 bytes | Modified Date = 8/20/2004 3:56:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 11:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 11:00:00 AM | Attr = ]
PTech , -> %System32%\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 7:41:38 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 7:41:38 PM | Attr = ]

< End of report >

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 AM

Posted 17 March 2007 - 10:44 AM

Hi strinh808. I don't see any signs of it in that log but let's see if it's there.

First, please print these directions so they will be available to you (we will be rebooting into Safe Mode during the fix).

Next, Please follow the steps below in order:

Step #1

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Step #2

Download AVG anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen, under "How to act" select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Step #3

Now start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} -> %ProgramFiles%\PDFtypewriter\PDFtypewriterie.exe [ButtonText: PDFtypewriter]
[ Extra Files ]
c:\windows\9129837.exe
c:\windows\hide_evr2.sys
[ Extra Registry Entries ]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} ->
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} ->
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_hide_evr2 ->
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\hide_evr2 ->


The fix should only take a very short time You might be asked to reboot if any of the files could not be moved during the fix. If so, choose Yes and reboot into Safe Mode as shown below. If not, then reboot manually into Safe Mode.

Reboot into Safe Mode by doing the following:
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Launch AVG Anti-Spyware by double-clicking the icon on your desktop.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    • IMake sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the "Apply all actions" button
    Note: Don't save the report before you hit the Apply action button.
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Step #5

Post the following back here:
  • a new WinPFind3U report (just run this one from a normal bootup)
  • the AVG Anti-Spyware report
  • the latest .log file from the WinPFind3u folder (it will be a .log file and have a date_time name in the format mmddyyyy_hhmmss.log)
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 strinh808

strinh808
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 March 2007 - 01:44 AM

Hi OldTimer,

I followed your instructions step by step, but for some reason AVG didn't generate a report at all. Please let me know if you need me to run another scan and try to get a report.

Here are the other two reports you requested:

------------------------------------------

NEW WINPFIND3 REPORT:

WinPFind3 logfile created on: 3/19/2007 12:13:16 AM
WinPFind3U by OldTimer - Version 1.0.23 Folder = C:\Program Files\WinPFind3u\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

260632 Kb Total Physical Memory | 101272 Kb Available Physical Memory | 38.86% Memory free
640420 Kb Paging File | 353068 Kb Available in Paging File | 55.13% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60026368 Kb Total Space | 38945324 Kb Free Space | 64.88% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded


[Processes - Non-Microsoft Only]
apvxdwin.exe -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\ApVxdWin.exe -> Panda Software International [Ver = 8.00.25.00 | Size = 321072 bytes | Modified Date = 1/25/2007 6:50:40 PM | Attr = ]
avengine.exe -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\AVENGINE.EXE -> Panda Software International [Ver = 2, 1, 19, 0 | Size = 90624 bytes | Modified Date = 1/19/2007 2:54:20 PM | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 10/7/2006 2:20:00 AM | Attr = ]
caissdt.exe -> %ProgramFiles%\CA\eTrust Internet Security Suite\caissdt.exe -> Computer Associates International, Inc. [Ver = Version 2.0.1.1 | Size = 165416 bytes | Modified Date = 4/21/2006 2:42:24 PM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 4:13:20 AM | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 118784 bytes | Modified Date = 8/20/2004 3:51:14 PM | Attr = ]
igfxtray.exe -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 155648 bytes | Modified Date = 8/20/2004 3:55:14 PM | Attr = ]
pavsrv51.exe -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PAVSRV51.EXE -> Panda Software International [Ver = 2, 1, 16, 0 | Size = 130560 bytes | Modified Date = 1/19/2007 2:52:34 PM | Attr = ]
ppactivedetection.exe -> %ProgramFiles%\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe -> Computer Associates [Ver = 8, 0, 0, 3 | Size = 258048 bytes | Modified Date = 3/11/2007 12:23:58 PM | Attr = ]
psctrls.exe -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PsCtrlS.exe -> Panda Software International [Ver = 2.02.02.00 | Size = 217088 bytes | Modified Date = 1/25/2007 1:33:34 PM | Attr = ]
psimsvc.exe -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PsImSvc.exe -> Panda Software International [Ver = 2, 7, 50, 0 | Size = 102400 bytes | Modified Date = 1/18/2007 6:02:20 PM | Attr = ]
ssaad.exe -> %ProgramFiles%\Sony\SonicStage\SSAAD.exe -> [Ver = 3.3.00.09270 | Size = 81920 bytes | Modified Date = 9/27/2005 6:59:10 AM | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75568 bytes | Modified Date = 1/8/2007 2:29:38 PM | Attr = ]
webproxy.exe -> %ProgramFiles%\panda software\panda antivirus 2007\WebProxy.exe -> Panda Software International [Ver = 7, 1, 28, 44 | Size = 77824 bytes | Modified Date = 1/26/2007 12:00:00 PM | Attr = ]
winpfind3u.exe -> %ProgramFiles%\WinPFind3u\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.23.0 | Size = 313344 bytes | Modified Date = 3/11/2007 10:34:40 AM | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 919280 bytes | Modified Date = 1/8/2007 2:29:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 2/10/2006 7:54:36 PM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 4:13:20 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/3/2004 9:56:48 PM | Attr = ]
(MSCSPTISRV) MSCSPTISRV [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\MSCSPTISRV.exe -> Sony Corporation [Ver = 4.3.00.08302 | Size = 53337 bytes | Modified Date = 8/30/2005 3:00:50 PM | Attr = ]
(PACSPTISVR) PACSPTISVR [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\PACSPTISVR.exe -> Sony Corporation [Ver = 4.3.00.08302 | Size = 53337 bytes | Modified Date = 8/30/2005 2:55:18 PM | Attr = ]
(Panda Software Controller) Panda Software Controller [Win32_Own | Auto | Running] -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PsCtrlS.exe -> Panda Software International [Ver = 2.02.02.00 | Size = 217088 bytes | Modified Date = 1/25/2007 1:33:34 PM | Attr = ]
(PAVSRV) Panda anti-virus service [Win32_Own | Auto | Running] -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PAVSRV51.EXE -> Panda Software International [Ver = 2, 1, 16, 0 | Size = 130560 bytes | Modified Date = 1/19/2007 2:52:34 PM | Attr = ]
(PSIMSVC) Panda IManager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\PsImSvc.exe -> Panda Software International [Ver = 2, 7, 50, 0 | Size = 102400 bytes | Modified Date = 1/18/2007 6:02:20 PM | Attr = ]
(SPTISRV) Sony SPTI Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\SPTISRV.exe -> Sony Corporation [Ver = 4.3.00.08302 | Size = 69718 bytes | Modified Date = 8/30/2005 2:49:34 PM | Attr = ]
(SSScsiSV) SonicStage SCSI Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\SSScsiSV.exe -> Sony Corporation [Ver = 3.3.00.09270 | Size = 69632 bytes | Modified Date = 9/27/2005 5:19:26 AM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75568 bytes | Modified Date = 1/8/2007 2:29:38 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 10/7/2006 2:20:00 AM | Attr = ]
APVXDWIN -> %ProgramFiles%\Panda Software\Panda Antivirus 2007\ApVxdWin.exe -> Panda Software International [Ver = 8.00.25.00 | Size = 321072 bytes | Modified Date = 1/25/2007 6:50:40 PM | Attr = ]
AtiPTA -> %System32%\atiptaxx.exe -> ATI Technologies, Inc. [Ver = 6.13.2523 | Size = 270336 bytes | Modified Date = 10/10/2001 3:59:26 PM | Attr = ]
CaISSDT -> %ProgramFiles%\CA\eTrust Internet Security Suite\caissdt.exe -> Computer Associates International, Inc. [Ver = Version 2.0.1.1 | Size = 165416 bytes | Modified Date = 4/21/2006 2:42:24 PM | Attr = ]
eTrustPPAP -> %ProgramFiles%\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe -> Computer Associates [Ver = 8, 0, 0, 3 | Size = 258048 bytes | Modified Date = 3/11/2007 12:23:58 PM | Attr = ]
HotKeysCmds -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 118784 bytes | Modified Date = 8/20/2004 3:51:14 PM | Attr = ]
IgfxTray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 155648 bytes | Modified Date = 8/20/2004 3:55:14 PM | Attr = ]
LanzarL2007 -> %SystemDrive%\DOCUME~1\AMITUO~1\LOCALS~1\Temp\{917D8BB2-5E94-44B1-A95F-6B2FF69AC760}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe -> File not found
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 8/28/2002 11:39:06 AM | Attr = ]
Samsung Common SM -> %SystemRoot%\Samsung\ComSMMgr\ssmmgr.exe -> File not found
SsAAD.exe -> %ProgramFiles%\Sony\SonicStage\SSAAD.exe -> [Ver = 3.3.00.09270 | Size = 81920 bytes | Modified Date = 9/27/2005 6:59:10 AM | Attr = ]
UserFaultCheck -> -> File not found
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 919280 bytes | Modified Date = 1/8/2007 2:29:40 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 3/30/2006 4:45:08 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 8:05:26 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 9/28/2006 4:13:28 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
avldr -> %System32%\avldr.dll -> Panda Software International [Ver = 2, 1, 0, 2 | Size = 45056 bytes | Modified Date = 7/14/2006 1:46:12 PM | Attr = ]
igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3.0.0.3889 | Size = 344064 bytes | Modified Date = 8/20/2004 3:50:54 PM | Attr = ]
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.netpede.com/ ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Start Page -> http://www.netpede.com/ ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Start Page -> http://www.inboxdollars.com/members/?p=cash_surveys ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208} [HKLM] -> %ProgramFiles%\TechSmith\SnagIt 7\SnagItBHO.dll [HelperObject Class] -> TechSmith Corporation [Ver = 1.0.1 | Size = 49152 bytes | Modified Date = 6/17/2005 7:24:00 AM | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 1/12/2006 8:38:22 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Reg Data - Value does not exist] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 11/10/2005 1:22:10 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} [HKLM] -> %ProgramFiles%\TechSmith\SnagIt 7\SnagItIEAddin.dll [SnagIt] -> TechSmith Corporation [Ver = 1.0.6 | Size = 131072 bytes | Modified Date = 6/17/2005 7:24:00 AM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\npjpi150_06.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 69746 bytes | Modified Date = 11/10/2005 1:22:10 PM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 11/10/2005 1:22:10 PM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&xport to Microsoft Excel -> -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{0718CBBB-4D43-4972-BE12-E7E00B6E417E} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
{16ACBFDB-1FEC-4F7B-852C-01F65E6B32A4} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
{90BA701F-32AE-48F0-9CDA-B16AF69E1556} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
{A3D689DB-0746-4641-8D27-0CBF07AF62EE} -> () ->
{A8DFAFF8-3A63-4BBF-BB00-DE87D5FE48BA} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
{F94BEFDF-6DE4-42E3-91E4-72678935BF5F} -> (Linksys Wireless-B USB Network Adapter v2.8) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
skype4com -> %CommonProgramFiles%\Skype\Skype4COM.dll -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 1/12/2007 12:50:48 PM | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Files/Folders - Created Within 30 days]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI -> [Ver = | Size = 0 bytes | Created Date = 3/11/2007 12:27:19 PM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75512 bytes | Created Date = 3/13/2007 9:22:59 AM | Attr = ]
avldr.dll -> %System32%\avldr.dll -> Panda Software International [Ver = 2, 1, 0, 2 | Size = 45056 bytes | Created Date = 3/13/2007 5:23:37 AM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Created Date = 2/18/2007 1:54:39 AM | Attr = ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796312 bytes | Created Date = 3/13/2007 9:22:44 AM | Attr = ]
odbcinst.cnt -> %System32%\odbcinst.cnt -> [Ver = | Size = 324 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
odbcinst.hlp -> %System32%\odbcinst.hlp -> [Ver = | Size = 37062 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
Odbcjet.cnt -> %System32%\Odbcjet.cnt -> [Ver = | Size = 6902 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
Odbcjet.hlp -> %System32%\Odbcjet.hlp -> [Ver = | Size = 170865 bytes | Created Date = 3/2/2007 7:38:13 AM | Attr = ]
PAV -> %System32%\PAV -> [Folder | Created Date = 3/13/2007 5:24:09 AM | Attr = ]
pavcpl.cpl -> %System32%\pavcpl.cpl -> Panda Software [Ver = 1, 0, 1, 0 | Size = 49152 bytes | Created Date = 3/13/2007 5:23:51 AM | Attr = ]
PavCPL.dat -> %System32%\PavCPL.dat -> [Ver = | Size = 248 bytes | Created Date = 3/13/2007 5:26:09 AM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49404 bytes | Created Date = 3/13/2007 9:22:29 AM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 394160 bytes | Created Date = 3/13/2007 9:22:29 AM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 157424 bytes | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 104176 bytes | Created Date = 3/13/2007 9:22:31 AM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 272112 bytes | Created Date = 3/13/2007 9:22:31 AM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Created Date = 3/13/2007 9:22:44 AM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 472816 bytes | Created Date = 3/13/2007 9:21:49 AM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 46832 bytes | Created Date = 3/13/2007 9:22:34 AM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 100080 bytes | Created Date = 3/13/2007 9:22:32 AM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Created Date = 3/13/2007 9:22:42 AM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Created Date = 3/13/2007 9:22:42 AM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Created Date = 3/13/2007 9:23:30 AM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Created Date = 3/13/2007 9:22:31 AM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 3/13/2007 9:22:32 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 3/18/2007 5:29:29 AM | Attr = ]
PAVDRV51.SYS -> %System32%\drivers\PAVDRV51.SYS -> Panda Software International [Ver = 7.0.1.0 (av07_rtm.070117-1343) | Size = 71680 bytes | Created Date = 3/13/2007 5:26:10 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 3/18/2007 5:29:24 AM | Attr = R ]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 3/2/2007 7:39:24 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 3/18/2007 11:16:30 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 2/25/2007 5:59:28 PM | Attr = S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 3/1/2007 2:22:54 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 3/11/2007 12:22:14 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 3/13/2007 5:09:08 AM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 3/19/2007 12:12:18 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 3/15/2007 12:59:42 AM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 476 bytes | Modified Date = 3/2/2007 7:38:42 AM | Attr = ]
ODBCINST.INI -> %SystemRoot%\ODBCINST.INI -> [Ver = | Size = 4161 bytes | Modified Date = 3/2/2007 7:38:30 AM | Attr = ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI -> [Ver = | Size = 0 bytes | Modified Date = 3/11/2007 12:27:20 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 3/19/2007 12:09:52 AM | Attr = ]
RegisteredPackages -> %SystemRoot%\RegisteredPackages -> [Folder | Modified Date = 2/18/2007 2:02:20 AM | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 2/18/2007 10:03:30 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 3/13/2007 9:23:32 AM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 3/19/2007 12:11:24 AM | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 2/18/2007 2:07:12 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 2/18/2007 1:54:04 AM | Attr = ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [Ver = | Size = 316640 bytes | Modified Date = 2/18/2007 2:01:24 AM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 2/18/2007 1:56:52 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 3/14/2007 1:31:24 AM | Attr = ]
DirectX -> %System32%\DirectX -> [Folder | Modified Date = 2/18/2007 1:58:38 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 3/13/2007 3:16:20 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 3/19/2007 12:11:20 AM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 2/18/2007 1:54:40 AM | Attr = ]
PAV -> %System32%\PAV -> [Folder | Modified Date = 3/14/2007 3:06:14 PM | Attr = ]
PavCPL.dat -> %System32%\PavCPL.dat -> [Ver = | Size = 248 bytes | Modified Date = 3/13/2007 5:26:10 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 39992 bytes | Modified Date = 3/13/2007 5:28:02 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 311604 bytes | Modified Date = 3/13/2007 5:28:02 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 356120 bytes | Modified Date = 3/13/2007 5:28:00 AM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 3/13/2007 9:32:26 AM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 3/13/2007 9:23:10 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
Thawte Consulting , -> %System32%\cpwmon2k.dll -> [Ver = | Size = 87800 bytes | Modified Date = 12/10/2006 8:31:12 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 11:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks, Inc. [Ver = 5.2.1.1338 | Size = 716800 bytes | Modified Date = 10/26/2004 12:38:24 PM | Attr = ]
PTech , -> %System32%\igfxhcsy.lhp -> [Ver = | Size = 59914 bytes | Modified Date = 8/20/2004 3:56:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 11:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 11:00:00 AM | Attr = ]
PTech , -> %System32%\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 7:41:38 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 7:41:38 PM | Attr = ]

< End of report >

----------------------------------------------------

LATEST .LOG FILE FROM WINPFIND3U:

[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} deleted successfully.
[ Extra Files ]
File/Folder c:\windows\9129837.exe not found.
File/Folder c:\windows\hide_evr2.sys not found.
[ Extra Registry Entries ]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_hide_evr2\ not found.
Registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\services\hide_evr2\ not found.
< End of log >
Created on 03/18/2007 05:45:54

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 AM

Posted 20 March 2007 - 05:41 AM

Hi strinh808. Everything looks fine. Nothing was found.

If you run Pest Patrol again does it show anything? Whatever it was might have been taken care of by AVG AS or Panda.

Anything else happening on the system to indicate a malware issue?

Let me know.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users