Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please


  • This topic is locked This topic is locked
25 replies to this topic

#1 Rheanun

Rheanun

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 14 April 2007 - 02:59 PM

I have been trying to clean my husbands computer and have not been successful and I really need help. I have tried everything that I can think of. I did the smitfraud removal etc...Here is the log from hijack this and thank you! By the way, I have tried to remove the winsock that appears here over and over with no luck. I tried to remove with hijack this and it refers me to another program which I did download and run and I removed something that showed up there but no luck removing this.

Logfile of HijackThis v1.99.1
Scan saved at 12:54:16 PM, on 4/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NeroCheck.exe
C:\WINDOWS\System32\-226965688.exe
C:\WINDOWS\1903cr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp1CF.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ff1442d7-36a1-473a-9941-268504235bbe} - C:\WINDOWS\system32\fcl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [-226965688.exe] C:\WINDOWS\System32\-226965688.exe
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\mlkllj.dll",realset
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: fcl32 - C:\WINDOWS\SYSTEM32\fcl32.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\ocirdw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 14 April 2007 - 03:39 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.

From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

I have also noticed that you do not appear to have a firewall installed. This is an essential piece of software that acts as an extra layer of security, which restricts access to your computer from the outside world.
Therefore, please download one of these free firewalls:
Zone Alarm
Kerio
If you would like some more information about firewalls and how to use them effectively, take a look here.

Please post back with a new log once you have done this.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Rheanun

Rheanun
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 14 April 2007 - 06:53 PM

Hello Charles and thank you for helping me out. I installed and did a search for viruses on Avast. That is what I use on my own computer so I am familier with it. My husband will not let me install the firewall though so sorry about that one. Here is the new log from hijack this...

Logfile of HijackThis v1.99.1
Scan saved at 4:48:39 PM, on 4/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\-226965688.exe
C:\WINDOWS\1903cr.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp1CF.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ff1442d7-36a1-473a-9941-268504235bbe} - C:\WINDOWS\system32\fcl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [-226965688.exe] C:\WINDOWS\System32\-226965688.exe
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\mlkllj.dll",realset
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: fcl32 - C:\WINDOWS\SYSTEM32\fcl32.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\ocirdw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 15 April 2007 - 03:50 AM

Hi again,
Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Rheanun

Rheanun
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 17 April 2007 - 02:00 PM

Sorry it took me so long to respond but here are my logs...


VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:50:24 AM 4/17/2007

Listing files found while scanning....

C:\WINDOWS\System32\tmp7.tmp.dll

Beginning removal...

Performing Repairs to the registry.
Done!
==========================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:57:15 AM, on 4/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\-226965688.exe
C:\WINDOWS\1903cr.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp9C.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ff1442d7-36a1-473a-9941-268504235bbe} - C:\WINDOWS\system32\fcl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [-226965688.exe] C:\WINDOWS\System32\-226965688.exe
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\gedcay.dll",realset
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: fcl32 - C:\WINDOWS\SYSTEM32\fcl32.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\ocirdw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 April 2007 - 03:46 PM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

I have noticed from your log that you have various online poker programs installed on your computer. I understand that you may use these games on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this.
If you do decide to go ahead and remove the poker software, you should be able uninstall them via Add/Remove Programs which can be found in the Control Panel. Let me know if you have any problems whilst doing so.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Don't run it yet.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entries below into the top boxes (no arrows):

--> C:\WINDOWS\system32\fcl32.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Open the extracted SDFix folder and double click runThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any key and it will restart the PC.
When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6

Please include VundoFix.txt and a new HijackThis log in your next reply, along with the SDFix log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Rheanun

Rheanun
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 17 April 2007 - 06:20 PM

Ok here are all three of my logs...


SDFix: Version 1.79

Run by Administrator - Tue 04/17/2007 - 16:01:00.98

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
kprof
Microsoft IEUpdater22
poof
Runtime

ImagePath:
\??\C:\WINDOWS\System32\main.sys
\??\C:\WINDOWS\System32\kprof
C:\Documents and Settings\Administrator\ie_updater.exe /start
\??\C:\WINDOWS\System32\poof
\??\C:\WINDOWS\System32\drivers\runtime.sys

EXAMPLE - Deleted
kprof - Deleted
Microsoft IEUpdater22 - Deleted
poof - Deleted
Runtime - Deleted

Killing PID 160 'smss.exe'
Killing PID 236 'winlogon.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
===================================================

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 3:47:00 PM 4/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\fcl32.dll
C:\WINDOWS\system32\fcl32.dll Has been deleted!

Performing Repairs to the registry.
Done!
=======================================================

Logfile of HijackThis v1.99.1
Scan saved at 4:16:47 PM, on 4/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\-226965688.exe
C:\WINDOWS\1903cr.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
E:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp9C.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {ff1442d7-36a1-473a-9941-268504235bbe} - C:\WINDOWS\system32\fcl32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [-226965688.exe] C:\WINDOWS\System32\-226965688.exe
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\gedcay.dll",realset
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\phuvwblrb.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\ocirdw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 18 April 2007 - 09:13 AM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp9C.tmp.dll
O2 - BHO: (no name) - {ff1442d7-36a1-473a-9941-268504235bbe} - C:\WINDOWS\system32\fcl32.dll (file missing)
O4 - HKLM\..\Run: [-226965688.exe] C:\WINDOWS\System32\-226965688.exe
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\gedcay.dll",realset
O20 - AppInit_DLLs:
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\ocirdw.dll
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINDOWS\System32\tmp9C.tmp.dll
C:\WINDOWS\System32\-226965688.exe
C:\WINDOWS\1903cr.exe
C:\WINDOWS\gedcay.dll
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\WINDOWS\System32\ocirdw.dll
C:\Documents and Settings\Administrator\ie_updater.exe

Reboot into Normal Mode again.

Download LSP-Fix
Disconnect from the Internet and close all Internet Explorer Windows.
Run the program and check the "I know what I'm doing" box.
Place all listings of phuvwblrb.dll into the remove section by highlighting it and clicking on the button that points to the right. When all instances of this dll are in the remove section press the Finish button.

Reboot again, and include a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Rheanun

Rheanun
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 18 April 2007 - 02:39 PM

Thank you for your continued patience with me! Here is the new log, the IE updater would not come off on the hijack this program. I also have a question for you regarding the poker games installed on my husbands computer. I know he did install the party poker, but the other one he did not install and it isn't showing up in the add/remove programs. I would like to take that one off, so should I just delete the whole folder? Thank you

Logfile of HijackThis v1.99.1
Scan saved at 12:33:13 PM, on 4/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mszhjpjwbtj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 18 April 2007 - 04:21 PM

Hey there, you're doing good so far :thumbsup:

I also have a question for you regarding the poker games installed on my husbands computer. I know he did install the party poker, but the other one he did not install and it isn't showing up in the add/remove programs. I would like to take that one off, so should I just delete the whole folder?

Yes, you can try deleting it. If it is quite stubborn and will not go in Normal Mode, delete it when we boot into Safe Mode. Let me know if this is successful.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Administrator\ie_updater.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Delete the following file:

C:\Documents and Settings\Administrator\ie_updater.exe

Copy and paste the following text into Notepad:
sc stop "Microsoft IEUpdater22"
sc delete "Microsoft IEUpdater22"
Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat.

Reboot into Normal Mode again.

Run LSPFix and check the "I know what I'm doing" box.
Place all listings of mszhjpjwbtj.dll into the remove section by highlighting it and clicking on the button that points to the right. When all instances of this dll are in the remove section press the Finish button.

Now I'd like you to run two more scanners, as it seems the malware keeps coming back, so I have an inkling that there is some more hiding somewhere:
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Download F-Secure Blacklight and save it to your Desktop.
Double click on blbeta.exe to start the program.
Accept the user agreement and click Next.
Click Scan. You will then see a list of all the items found.
Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.
BlackLight will have created a log on your Desktop named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
Post that log in your next reply.

Please include ComboFix.txt, the Blacklight log, along with a fresh HijackThis log in your next reply.
Thanks
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Rheanun

Rheanun
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 18 April 2007 - 06:17 PM

Ok, so far I did run the hijack this again and tried to remove the IE updater but it would not let me remove it. I did also run the combofix and I think that worked well but the blacklight link wont work for me. So what would you like me to do now? I will post a new hijack this log and the combo fix log though for you now...

"Administrator" - 07-04-18 16:04:46 Service Pack 1
ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Administrator\Desktop\


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tmp1CF.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmpE.tmp.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\System\d3db32.dll
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\rsvp32_2.dllr55675et
C:\WINDOWS\system32\tmp1CF.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmpE.tmp.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\DOCUME~1\ADMINI~1\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\wtstr.exe
C:\WINDOWS\system32\lkbamuy.dll
C:\WINDOWS\system32\mszhjpjwbtj.dll
C:\WINDOWS\system32\nweli.dll
C:\WINDOWS\system32\phuvwblrb.dll
C:\Documents and Settings\All Users.\documents\settings
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\WINDOWS\MBOLS~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\EXAMPLE
-------\kprof
-------\poof
-------\Runtime
-------\LEGACY_EXAMPLE
-------\LEGACY_POOF


((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))


2007-04-17 16:12 <DIR> d-------- C:\Program Files\Common Files\Java
2007-04-17 11:50 <DIR> d-------- C:\VundoFix Backups
2007-04-14 15:11 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-14 15:11 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-14 15:11 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-14 15:11 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-14 15:11 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-14 15:11 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-14 15:11 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-14 12:30 812 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-13 19:43 45,056 --a------ C:\command.exe
2007-04-13 14:58 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-04-13 14:52 <DIR> d-------- C:\reg cleaner
2007-04-13 02:01 106,767 --a------ C:\WINDOWS\rqopom.dll
2007-04-12 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-11 18:17 65,024 --a------ C:\WINDOWS\system32\update71197586.exe
2007-04-11 18:09 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-11 18:09 65,024 --a------ C:\WINDOWS\system32\update23833669.exe
2007-04-11 18:08 21,504 --a------ C:\WINDOWS\system32\update62062812.exe
2007-04-11 15:35 106,767 --a------ C:\WINDOWS\opqolj.dll
2007-04-09 19:18 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-09 17:47 106,767 --------- C:\WINDOWS\tuvurp.dll
2007-04-09 17:33 7,296 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-04-09 17:33 445,440 --------- C:\wmplayer.dll
2007-04-09 17:33 31,800 --a------ C:\WINDOWS\system32\update56160395.exe
2007-04-09 17:33 235,008 --a------ C:\WINDOWS\system32\update87491010.exe
2007-04-05 14:17 <DIR> d-------- C:\WINDOWS\system32\dlha
2007-03-22 14:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 81410 bytes in 1 streams.

2007-04-17 16:13 -------- d-------- C:\Program Files\java
2007-04-15 11:01 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-04-12 13:15 75264 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-09 19:17 -------- d-------- C:\Program Files\warcraft iii
2007-04-09 19:17 -------- d-------- C:\Program Files\quicktime
2007-04-09 19:16 -------- dr-h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\yahoo!
2007-04-09 19:11 -------- d-------- C:\Program Files\theport
2007-04-03 18:02 -------- d-------- C:\Program Files\gamespy arcade
2007-02-20 09:25 1080 --a--c--- C:\WINDOWS\checkip.dat
2007-02-20 09:21 1205 --a--c--- C:\WINDOWS\ipconfig.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AtiPTA"="atiptaxx.exe"
"avast!"="E:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Software Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Software Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="KODAK Software Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="opqolj"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\opqolj.dll\",realset"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\System32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\System32\V0250Cvw.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="V0250Cvw"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\RegSvr32.exe /s C:\\WINDOWS\\System32\\V0250Cvw.dll"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsasss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\lsasss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Task Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mstask32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dlha\\mstask32.com"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Webcam Enhance V2.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="runtfs32"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\runtfs32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Rundll32"
"hkey"="HKLM"
"command"="Rundll32.exe ptipbm.dll,SetWriteBack"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v7"
"hkey"="HKLM"
"command"="v7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-18 16:08:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-18 16:08
=================================================================

Logfile of HijackThis v1.99.1
Scan saved at 4:13:38 PM, on 4/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 19 April 2007 - 01:34 AM

Oops, try this link instead: http://www.f-secure.com/blacklight/try_blacklight.html

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Rheanun

Rheanun
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 20 April 2007 - 01:14 PM

Ok, here is the log from the blacklight program...

04/20/07 11:08:30 [Info]: BlackLight Engine 1.0.61 initialized
04/20/07 11:08:30 [Info]: OS: 5.1 build 2600 (Service Pack 1)
04/20/07 11:08:31 [Note]: 7019 4
04/20/07 11:08:31 [Note]: 7005 0
04/20/07 11:08:34 [Note]: 7006 0
04/20/07 11:08:34 [Note]: 7011 300
04/20/07 11:08:34 [Note]: 7026 0
04/20/07 11:08:34 [Note]: 7026 0
04/20/07 11:08:35 [Note]: FSRAW library version 1.7.1021
04/20/07 11:10:17 [Note]: 7007 0

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 21 April 2007 - 02:11 PM

Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 Rheanun

Rheanun
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 21 April 2007 - 05:06 PM

Boy whatever ended up on my husbands computer sure did a number on it didn't it? Wow lol. Thanks so much again for everything you have helped me do so far. Here is that log


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

07/28/2006 09:59 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 03:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\AHEAD\INCD\BAK

03/23/2006 05:06 PM 1,398,272 InCD.exe
1 File(s) 1,398,272 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Jul 28 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
1398272 Mar 23 2006 "C:\Program Files\Ahead\InCD\bak\InCD.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users