Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False “personal Security Center”


  • Please log in to reply
14 replies to this topic

#1 borlou11

borlou11

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 03 May 2007 - 10:44 AM

I have a false “Personal Security Center” that keeps coming back even though I tried to erase it as per instructions in “Preparation Guide for use before posting physical Hijack This Log” with Avast 4.7 Home Edition, Spybot-Search, AdAware SE Personal, Housecall 6.5 Anti Virus, Panda Anti Virus, Bit Defender and McAfee Stinger. I have also a GNET Broadband router that acts as a physical firewall. This “Personal Security Center” appears as a yellow triangle with an exclamation mark icon with the right hand lower toolbar, near the clock, and it is identified as “Security Center Balloon”. It doesn’t appear immediately when I open my computer but only later on. Could you give me suggestions of how to remove this uninvited guest?
Thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 11:41:32 AM, on 03/05/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\RULQRYBS.EXE
C:\WINDOWS\SYSTEM\STCHECK32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.radio-canada.ca/nouvelles/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.com/slv/ycheck/as/*http...com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.radiocanada.ca/nouvelles/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {11972F80-D4CB-11D8-9873-000EA37335E9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [rulqrybs.exe] C:\WINDOWS\SYSTEM\rulqrybs.exe
O4 - HKLM\..\Run: [Privacy tools] C:\WINDOWS\SYSTEM\stcheck32.exe
O4 - HKLM\..\Run: [azubepgr.exe] C:\WINDOWS\SYSTEM\azubepgr.exe
O4 - HKLM\..\Run: [mlcjinwz.exe] C:\WINDOWS\SYSTEM\mlcjinwz.exe
O4 - HKLM\..\Run: [wzepmdqj.exe] C:\WINDOWS\SYSTEM\wzepmdqj.exe
O4 - HKLM\..\Run: [qtizehyn.exe] C:\WINDOWS\SYSTEM\qtizehyn.exe
O4 - HKLM\..\Run: [oxgdcfmh.exe] C:\WINDOWS\SYSTEM\oxgdcfmh.exe
O4 - HKLM\..\Run: [sjehejwd.exe] C:\WINDOWS\SYSTEM\sjehejwd.exe
O4 - HKLM\..\Run: [bylqpkjy.exe] C:\WINDOWS\SYSTEM\bylqpkjy.exe
O4 - HKLM\..\Run: [efmxelqv.exe] C:\WINDOWS\SYSTEM\efmxelqv.exe
O4 - HKLM\..\Run: [bipojcxi.exe] C:\WINDOWS\SYSTEM\bipojcxi.exe
O4 - HKLM\..\Run: [naxmjkdm.exe] C:\WINDOWS\SYSTEM\naxmjkdm.exe
O4 - HKLM\..\Run: [PCHelp tools] C:\WINDOWS\SYSTEM\pchtls32.exe
O4 - HKLM\..\Run: [vgvclwrk.exe] C:\WINDOWS\SYSTEM\vgvclwrk.exe
O4 - HKLM\..\Run: [ovopwtyb.exe] C:\WINDOWS\SYSTEM\ovopwtyb.exe
O4 - HKLM\..\Run: [fgxmbolq.exe] C:\WINDOWS\SYSTEM\fgxmbolq.exe
O4 - HKLM\..\Run: [letonydg.exe] C:\WINDOWS\SYSTEM\letonydg.exe
O4 - HKLM\..\Run: [rqfypgdw.exe] C:\WINDOWS\SYSTEM\rqfypgdw.exe
O4 - HKLM\..\Run: [irwjahwf.exe] C:\WINDOWS\SYSTEM\irwjahwf.exe
O4 - HKLM\..\Run: [hsdklale.exe] C:\WINDOWS\SYSTEM\hsdklale.exe
O4 - HKLM\..\Run: [epslubmj.exe] C:\WINDOWS\SYSTEM\epslubmj.exe
O4 - HKLM\..\Run: [xgzsfmdg.exe] C:\WINDOWS\SYSTEM\xgzsfmdg.exe
O4 - HKLM\..\Run: [ergpmzgb.exe] C:\WINDOWS\SYSTEM\ergpmzgb.exe
O4 - HKLM\..\Run: [nelelglw.exe] C:\WINDOWS\SYSTEM\nelelglw.exe
O4 - HKLM\..\Run: [fufunqlc.exe] C:\WINDOWS\SYSTEM\fufunqlc.exe
O4 - HKLM\..\Run: [khmduxwf.exe] C:\WINDOWS\SYSTEM\khmduxwf.exe
O4 - HKLM\..\Run: [dmdormri.exe] C:\WINDOWS\SYSTEM\dmdormri.exe
O4 - HKLM\..\Run: [qjkdybap.exe] C:\WINDOWS\SYSTEM\qjkdybap.exe
O4 - HKLM\..\Run: [nstsnqhw.exe] C:\WINDOWS\SYSTEM\nstsnqhw.exe
O4 - HKLM\..\Run: [ipwvsryh.exe] C:\WINDOWS\SYSTEM\ipwvsryh.exe
O4 - HKLM\..\Run: [mfkvujsz.exe] C:\WINDOWS\SYSTEM\mfkvujsz.exe
O4 - HKLM\..\Run: [rwpctkla.exe] C:\WINDOWS\SYSTEM\rwpctkla.exe
O4 - HKLM\..\Run: [sjalovsb.exe] C:\WINDOWS\SYSTEM\sjalovsb.exe
O4 - HKLM\..\Run: [clihkvub.exe] C:\WINDOWS\SYSTEM\clihkvub.exe
O4 - HKLM\..\Run: [patobcpa.exe] C:\WINDOWS\SYSTEM\patobcpa.exe
O4 - HKLM\..\Run: [norcbqzw.exe] C:\WINDOWS\SYSTEM\norcbqzw.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{81DD5688-695A-4c1d-AE7D-368BF857725A}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_11\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_11\BIN\SSV.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.fr.msn.ca/resources/neutral/...X.cab?9,0,712,0
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://connect2cash.biz/new8/hhctrl.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:16 PM

Posted 04 May 2007 - 05:37 PM

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Greets Jürgenv

Donation: Click me.

#3 borlou11

borlou11
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 04 May 2007 - 09:21 PM

Hello Jurgenv,
Done as you instructed and I am sad to say that the "Personal Security Center" came back immediately after I rebooted. Here are the posts you asked:

From Dr.Web:
Process.exe;C:\WINDOWS\smitRem;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\RECYCLED\DC2;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\RECYCLED\DC2;Tool.ShutDown.11;Incurable.Moved.;


Logfile of HijackThis v1.99.1
Scan saved at 9:49:47 PM, on 04/05/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\STCHECK32.EXE
C:\WINDOWS\SYSTEM\PCHTLS32.EXE
C:\WINDOWS\SYSTEM\ORGFOJOT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.radio-canada.ca/nouvelles/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.com/slv/ycheck/as/*http...com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.radiocanada.ca/nouvelles/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {11972F80-D4CB-11D8-9873-000EA37335E9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [rulqrybs.exe] C:\WINDOWS\SYSTEM\rulqrybs.exe
O4 - HKLM\..\Run: [Privacy tools] C:\WINDOWS\SYSTEM\stcheck32.exe
O4 - HKLM\..\Run: [PCHelp tools] C:\WINDOWS\SYSTEM\pchtls32.exe
O4 - HKLM\..\Run: [orgfojot.exe] C:\WINDOWS\SYSTEM\orgfojot.exe
O4 - HKLM\..\Run: [tiryhqvu.exe] C:\WINDOWS\SYSTEM\tiryhqvu.exe
O4 - HKLM\..\Run: [jabmpsvu.exe] C:\WINDOWS\SYSTEM\jabmpsvu.exe
O4 - HKLM\..\Run: [azupulqn.exe] C:\WINDOWS\SYSTEM\azupulqn.exe
O4 - HKLM\..\Run: [axmzwrur.exe] C:\WINDOWS\SYSTEM\axmzwrur.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [dqpqlitg.exe] C:\WINDOWS\SYSTEM\dqpqlitg.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{81DD5688-695A-4c1d-AE7D-368BF857725A}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.fr.msn.ca/resources/neutral/...X.cab?9,0,712,0
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://connect2cash.biz/new8/hhctrl.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

I appreciate your help, what is next ?

#4 borlou11

borlou11
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 05 May 2007 - 03:14 AM

Hello Jurgenv
If it can help, as the "Personal Security Center" window came back up again later. I clicked on the right side of my mouse for Properties. Its URL address was :file://C:\WINDOWS\SYSTEM\crhtulvv\main.htm which I checked with VirtualTotal. It came back as no virus.

#5 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:16 PM

Posted 05 May 2007 - 06:05 AM

* Please open hijackthis and put a check next to the following:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {11972F80-D4CB-11D8-9873-000EA37335E9} - (no file)
O4 - HKLM\..\Run: [rulqrybs.exe] C:\WINDOWS\SYSTEM\rulqrybs.exe
O4 - HKLM\..\Run: [Privacy tools] C:\WINDOWS\SYSTEM\stcheck32.exe
O4 - HKLM\..\Run: [PCHelp tools] C:\WINDOWS\SYSTEM\pchtls32.exe
O4 - HKLM\..\Run: [orgfojot.exe] C:\WINDOWS\SYSTEM\orgfojot.exe
O4 - HKLM\..\Run: [tiryhqvu.exe] C:\WINDOWS\SYSTEM\tiryhqvu.exe
O4 - HKLM\..\Run: [jabmpsvu.exe] C:\WINDOWS\SYSTEM\jabmpsvu.exe
O4 - HKLM\..\Run: [azupulqn.exe] C:\WINDOWS\SYSTEM\azupulqn.exe
O4 - HKLM\..\Run: [axmzwrur.exe] C:\WINDOWS\SYSTEM\axmzwrur.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [dqpqlitg.exe] C:\WINDOWS\SYSTEM\dqpqlitg.exe


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location and post it here with a new hijackthis log.
Greets Jürgenv

Donation: Click me.

#6 borlou11

borlou11
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 05 May 2007 - 01:38 PM

Bravo, Mr. Jurgenv ! You have done it. The "Personal Security Center" window has disappeared and didn't come back, even after I rebooted and went in the Internet.
As asked, here are the reports:

From Panda:
Incident Status Location

Spyware:Application/UltimateFixer Not disinfected C:\WINDOWS\SYSTEM\crhtulvv\crhtulvv1.exe
Potentially unwanted tool:Application/UltimateDefender Not disinfected C:\WINDOWS\SYSTEM\crhtulvv\crhtulvv2.exe
Adware:Adware/UltimateCleaner Not disinfected C:\WINDOWS\SYSTEM\crhtulvv\crhtulvv3.exe
Adware:adware/tubby Not disinfected C:\WINDOWS\SYSTEM\MTC.ini
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\rulqrybs.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\orgfojot.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\tiryhqvu.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\jabmpsvu.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\azupulqn.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\axmzwrur.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\dqpqlitg.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\tsdcxozc.exe
Adware:Adware/VideoAccess Not disinfected C:\WINDOWS\SYSTEM\rkpufyze.exe
Spyware:Application/UltimateFixer Not disinfected C:\WINDOWS\SYSTEM\rqiowvwv\rqiowvwv1.exe
Adware:Adware/Findspy Not disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-34495263-2c886926.class
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/WUpd Not disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\boris@yadro[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Cookies\boris@toplist[1].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Cookies\boris@outster[1].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\boris@xiti[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\WINDOWS\Cookies\boris@kinghost[1].txt
Spyware:Cookie/TopRebates.com Not disinfected C:\WINDOWS\Cookies\boris@www.toprebates[2].txt
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Cookies\boris@c.enhance[1].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\boris@c3.gostats[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\boris@ccbill[2].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\boris@xiti[2].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Cookies\boris@toplist[2].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\boris@c3.gostats[3].txt
Spyware:Cookie/MediaTickets Not disinfected C:\WINDOWS\Cookies\boris@kinghost[2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\boris@dist.belnk[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\WINDOWS\Cookies\boris@rightmedia[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\boris@ccbill[1].txt
Spyware:Cookie/GoClick Not disinfected C:\WINDOWS\Cookies\boris@c.goclick[2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\boris@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\boris@dist.belnk[3].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\boris@ccbill[3].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\boris@yadro[3].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Cookies\boris@toplist[3].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Cookies\boris@888[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\WINDOWS\Cookies\boris@entrepreneur[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Cookies\boris@toplist[4].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\boris@ccbill[5].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process0.exe
Virus:Trj/Shutdown.Z Disinfected C:\DoctorWeb\Quarantine\restart.exe

Logfile of HijackThis v1.99.1
Scan saved at 2:31:31 PM, on 05/05/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\TSDCXOZC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.radio-canada.ca/nouvelles/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.com/slv/ycheck/as/*http...com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.radiocanada.ca/nouvelles/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [tsdcxozc.exe] C:\WINDOWS\SYSTEM\tsdcxozc.exe
O4 - HKLM\..\Run: [rkpufyze.exe] C:\WINDOWS\SYSTEM\rkpufyze.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [gdgfgzir.exe] C:\WINDOWS\SYSTEM\gdgfgzir.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{81DD5688-695A-4c1d-AE7D-368BF857725A}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.fr.msn.ca/resources/neutral/...X.cab?9,0,712,0
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://connect2cash.biz/new8/hhctrl.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

I suppose I can remove Dr.Web.csv ? Also, HJT 016 Symantec can I remove them and others ? I had before a Norton Antivirus but don't have it anymore for several months.

#7 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:16 PM

Posted 05 May 2007 - 06:55 PM

* Next, please reboot your computer in Safe Mode and delte the following files:

C:\WINDOWS\SYSTEM\MTC.ini
C:\WINDOWS\SYSTEM\rulqrybs.exe
C:\WINDOWS\SYSTEM\orgfojot.exe
C:\WINDOWS\SYSTEM\tiryhqvu.exe
C:\WINDOWS\SYSTEM\jabmpsvu.exe
C:\WINDOWS\SYSTEM\azupulqn.exe
C:\WINDOWS\SYSTEM\axmzwrur.exe
C:\WINDOWS\SYSTEM\dqpqlitg.exe
C:\WINDOWS\SYSTEM\tsdcxozc.exe
C:\WINDOWS\SYSTEM\rkpufyze.exe
C:\WINDOWS\Downloaded Program Files\webdlg32.inf
C:\WINDOWS\Downloaded Program Files\WinadX.inf

And delete the following folders:

C:\WINDOWS\SYSTEM\rqiowvwv
C:\WINDOWS\SYSTEM\crhtulvv

After that, boot back into normal mode and post a new hijackthis log here.
Greets Jürgenv

Donation: Click me.

#8 borlou11

borlou11
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 06 May 2007 - 10:46 AM

No, "Personal Security Center" window or icon yesterday. This morning I had to reboot and they came back. I removed them manually.
Deleted in Safe Mode thru Windows Explorer as per instruction. Couldn't find:
C:\WINDOWS\Downloaded Program Files\webdlg32.inf
C:\WINDOWS\Downloaded Program Files\WinadX.inf
"Personal Security Center" icon came later on.

May help. Opened Internet Explorer this morning before Safe Mode deletes and found 5 sites that I didn't visit.Find attached file: Attached File  Sites_not_visited_2007_05_06.doc   5KB   7 downloads

Logfile of HijackThis v1.99.1
Scan saved at 11:34:19 AM, on 06/05/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\NOJUHKPS.EXE
C:\WINDOWS\SYSTEM\PCHTLS32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.radio-canada.ca/nouvelles/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.com/slv/ycheck/as/*http...com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.radiocanada.ca/nouvelles/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [tsdcxozc.exe] C:\WINDOWS\SYSTEM\tsdcxozc.exe
O4 - HKLM\..\Run: [rkpufyze.exe] C:\WINDOWS\SYSTEM\rkpufyze.exe
O4 - HKLM\..\Run: [gdgfgzir.exe] C:\WINDOWS\SYSTEM\gdgfgzir.exe
O4 - HKLM\..\Run: [dabibijw.exe] C:\WINDOWS\SYSTEM\dabibijw.exe
O4 - HKLM\..\Run: [uvezahgv.exe] C:\WINDOWS\SYSTEM\uvezahgv.exe
O4 - HKLM\..\Run: [qfenqtov.exe] C:\WINDOWS\SYSTEM\qfenqtov.exe
O4 - HKLM\..\Run: [nojuhkps.exe] C:\WINDOWS\SYSTEM\nojuhkps.exe
O4 - HKLM\..\Run: [PCHelp tools] C:\WINDOWS\SYSTEM\pchtls32.exe
O4 - HKLM\..\Run: [xafolufk.exe] C:\WINDOWS\SYSTEM\xafolufk.exe
O4 - HKLM\..\Run: [bcbihuzg.exe] C:\WINDOWS\SYSTEM\bcbihuzg.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{81DD5688-695A-4c1d-AE7D-368BF857725A}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.fr.msn.ca/resources/neutral/...X.cab?9,0,712,0
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://connect2cash.biz/new8/hhctrl.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

#9 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:16 PM

Posted 06 May 2007 - 10:50 AM

* Please open hijackthis and put a check next to the following:

O4 - HKLM\..\Run: [tsdcxozc.exe] C:\WINDOWS\SYSTEM\tsdcxozc.exe
O4 - HKLM\..\Run: [rkpufyze.exe] C:\WINDOWS\SYSTEM\rkpufyze.exe
O4 - HKLM\..\Run: [gdgfgzir.exe] C:\WINDOWS\SYSTEM\gdgfgzir.exe
O4 - HKLM\..\Run: [dabibijw.exe] C:\WINDOWS\SYSTEM\dabibijw.exe
O4 - HKLM\..\Run: [uvezahgv.exe] C:\WINDOWS\SYSTEM\uvezahgv.exe
O4 - HKLM\..\Run: [qfenqtov.exe] C:\WINDOWS\SYSTEM\qfenqtov.exe
O4 - HKLM\..\Run: [nojuhkps.exe] C:\WINDOWS\SYSTEM\nojuhkps.exe
O4 - HKLM\..\Run: [PCHelp tools] C:\WINDOWS\SYSTEM\pchtls32.exe
O4 - HKLM\..\Run: [xafolufk.exe] C:\WINDOWS\SYSTEM\xafolufk.exe
O4 - HKLM\..\Run: [bcbihuzg.exe] C:\WINDOWS\SYSTEM\bcbihuzg.exe


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, redo a scan with Dr.web and post the report here with a new hijackthis log.
Greets Jürgenv

Donation: Click me.

#10 borlou11

borlou11
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 06 May 2007 - 02:09 PM

Done.
No virus found with Dr. Web.

Logfile of HijackThis v1.99.1
Scan saved at 3:09:48 PM, on 06/05/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.radio-canada.ca/nouvelles/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.com/slv/ycheck/as/*http...com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.radiocanada.ca/nouvelles/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{81DD5688-695A-4c1d-AE7D-368BF857725A}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.fr.msn.ca/resources/neutral/...X.cab?9,0,712,0
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://connect2cash.biz/new8/hhctrl.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

#11 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:16 PM

Posted 06 May 2007 - 02:11 PM

Looking good, how is everything working?
Greets Jürgenv

Donation: Click me.

#12 borlou11

borlou11
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 06 May 2007 - 02:33 PM

Its good up to now. Closed and opened my computer. Opened Internet Explorer and Outlook Express. No "Personal Security Center" window or icon. I would like to ck with you tomorrow, just to make sure, if you don't mind ?

#13 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:16 PM

Posted 06 May 2007 - 02:35 PM

Ok, no problem. :thumbsup:
Greets Jürgenv

Donation: Click me.

#14 borlou11

borlou11
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:05:16 PM

Posted 07 May 2007 - 01:58 PM

Thank you for ur help and ur patience. No "Personal Security Center" window or icon since yesterday. I hope it stays that way. It was a pleasure solving this problem with u. Merci beaucoup, Monsieur Jurgenv !

#15 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:16 PM

Posted 07 May 2007 - 01:59 PM

You're welcome. :thumbsup:
Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users