Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Highjack This Log File


  • This topic is locked This topic is locked
16 replies to this topic

#1 UNCLE_CT

UNCLE_CT

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 20 May 2007 - 09:55 AM

I started this topic http://www.bleepingcomputer.com/forums/ind...t=0#entry516756

Then i read all of the "Preparation Guide for use before posting a HijackThis Log" forum and i am now to this point,, here is my Highjack this file log

thanks CT


Preparation Guide for use before posting a HijackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 9:42:32 AM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8AF239EA-D01B-419C-947B-DA7C2EDFBB6B} - C:\Program Files\WindowsUpdate\niqybel.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EEF72435-42EA-4631-8347-BEC994A6BB90} - C:\Program Files\WindowsUpdate\niqybel.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 20 May 2007 - 12:12 PM

Is this in the right place?

#3 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 20 May 2007 - 02:09 PM

Sorry to bump this, but ,, is this in the right place? Thanks all

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 AM

Posted 22 May 2007 - 02:19 PM

Hello UNCLE_CT and welcome to the BC HijackThis forum. It looks like there is something in there. Let's start off with a couple of scans.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Now download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Do not change any settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Also post the log file from VundoFix (c:\vundofix.txt) back here so I can take a look at it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 23 May 2007 - 04:40 PM

Ran the VundoFix.exe and it found nothing..

I am getting mystery windows popping up when i visit normal and safe web sites. Most are dead links and cant be opened. But it is annoying trying to surf i get a pop up new window ever other page if not more.

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 AM

Posted 23 May 2007 - 05:14 PM

Hi UNCLE_CT. That's good that VundoFix didn't find anything. Now run the WinPFind3u scan and post that log back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 25 May 2007 - 06:47 PM

WinPFind3 logfile created on: 5/25/2007 6:32:10 PM
WinPFind3U by OldTimer - Version 1.0.38 Folder = C:\Documents and Settings\Owner\Desktop\New Folder\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

247.48 Mb Total Physical Memory | 61.24 Mb Available Physical Memory | 24.74% Memory free
606.32 Mb Paging File | 295.64 Mb Available in Paging File | 48.76% Paging File free
Paging file location(s): C:\pagefile.sys 372 744;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 59.73 Gb Free Space | 84.79% Space Free
Drive D: | 4.07 Gb Total Space | 0.69 Gb Free Space | 16.98% Space Free
Drive E: | 502.08 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
F: Drive not present or media not loaded

Computer Name: YOUR-2S4KN5K0H3
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
acrord32.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AcroRd32.exe -> Adobe Systems Incorporated [Ver = 7.0.8.2006051600 | Size = 71288 bytes | Modified Date = 5/16/2006 11:15:10 PM | Attr = ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.453 | Size = 353280 bytes | Modified Date = 5/20/2007 10:27:04 AM | Attr = ]
avgrssvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgrssvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 192512 bytes | Modified Date = 5/20/2007 10:27:04 AM | Attr = ]
avgrssvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgrssvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 192512 bytes | Modified Date = 5/20/2007 10:27:04 AM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 5/20/2007 10:27:12 AM | Attr = ]
pokerstars.exe -> %ProgramFiles%\PokerStars\PokerStars.exe -> PokerStars [Ver = 2.1.8.8 | Size = 3651104 bytes | Modified Date = 5/7/2007 11:54:06 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\New Folder\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.453 | Size = 353280 bytes | Modified Date = 5/20/2007 10:27:04 AM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 5/20/2007 10:27:12 AM | Attr = ]
(AvgCoreSvc) AVG7 Resident Shield Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgrssvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 192512 bytes | Modified Date = 5/20/2007 10:27:04 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Disabled | Stopped] -> %System32%\hpzipm12.exe -> HP [Ver = 7, 0, 0, 0 | Size = 65795 bytes | Modified Date = 1/5/2004 2:27:32 AM | Attr = ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.1.6 | Size = 206552 bytes | Modified Date = 4/5/2005 12:17:22 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_CC -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.460 | Size = 416256 bytes | Modified Date = 5/20/2007 10:27:06 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
avgwlntf -> %System32%\avgwlntf.dll -> GRISOFT, s.r.o. [Ver = 7.5.0.446 | Size = 9216 bytes | Modified Date = 5/20/2007 10:27:18 AM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 0 ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{EBE3E634-1C1F-42c2-A00D-81AFEDE78438} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{C4B24B45-B772-450A-8E6C-A37195A37C21} -> (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.6.2 | Size = 81920 bytes | Modified Date = 1/12/2005 2:54:56 PM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{233C1507-6A77-46A4-9443-F871F945D258} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->


[Files/Folders - Created Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Created Date = 5/20/2007 10:26:34 AM | Attr = RH ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 5/20/2007 11:04:35 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 5/23/2007 1:10:29 PM | Attr = ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Created Date = 5/23/2007 7:16:13 AM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 5/9/2007 5:43:25 PM | Attr = H ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Created Date = 5/19/2007 5:16:54 PM | Attr = ]
Chutes.ini -> %SystemRoot%\Chutes.ini -> [Ver = | Size = 253 bytes | Created Date = 5/22/2007 10:34:23 AM | Attr = ]
5642.bat -> %System32%\5642.bat -> [Ver = | Size = 167 bytes | Created Date = 5/4/2007 12:08:41 AM | Attr = ]
avgwlntf.dll -> %System32%\avgwlntf.dll -> GRISOFT, s.r.o. [Ver = 7.5.0.446 | Size = 9216 bytes | Created Date = 5/20/2007 9:27:17 AM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Created Date = 5/9/2007 5:42:48 PM | Attr = ]
MSINET.oca -> %System32%\MSINET.oca -> [Ver = | Size = 29184 bytes | Created Date = 4/25/2007 11:30:14 PM | Attr = ]
SBO -> %System32%\SBO -> [Folder | Created Date = 5/4/2007 12:08:14 AM | Attr = ]
setup9x.exe -> %System32%\setup9x.exe -> w00t [Ver = 1.00 | Size = 32768 bytes | Created Date = 5/4/2007 12:07:46 AM | Attr = ]
smpi1 -> %System32%\smpi1 -> [Folder | Created Date = 5/4/2007 12:08:18 AM | Attr = ]
taskkill.exe -> %System32%\taskkill.exe -> [Ver = | Size = 0 bytes | Created Date = 5/4/2007 12:07:43 AM | Attr = ]
vbzip10.dll -> %System32%\vbzip10.dll -> Info-ZIP [Ver = 2.3 | Size = 147456 bytes | Created Date = 5/4/2007 12:07:32 AM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.467 | Size = 777984 bytes | Created Date = 5/20/2007 9:27:12 AM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Created Date = 5/20/2007 9:27:13 AM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Created Date = 5/20/2007 9:27:13 AM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 5/20/2007 9:27:16 AM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.447 | Size = 19840 bytes | Created Date = 5/20/2007 9:27:14 AM | Attr = ]
core.cache.dsk -> %System32%\drivers\core.cache.dsk -> [Ver = | Size = 193055 bytes | Created Date = 5/4/2007 12:08:23 AM | Attr = ]
core.sys -> %System32%\drivers\core.sys -> [Ver = | Size = 72320 bytes | Created Date = 5/4/2007 12:08:22 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Modified Date = 5/24/2007 1:14:50 PM | Attr = RH ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 5/21/2007 9:08:40 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 259575808 bytes | Modified Date = 5/25/2007 10:02:06 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 5/22/2007 11:34:14 AM | Attr = ]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 5/4/2007 1:08:36 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 5/23/2007 2:10:30 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 5/23/2007 8:23:08 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 5/23/2007 8:15:50 AM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 5/23/2007 8:16:16 AM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/9/2007 6:43:28 PM | Attr = H ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 5/19/2007 10:00:52 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 5/25/2007 10:02:08 AM | Attr = S]
Chutes.ini -> %SystemRoot%\Chutes.ini -> [Ver = | Size = 253 bytes | Modified Date = 5/22/2007 11:34:28 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 5/9/2007 6:41:26 PM | Attr = ]
Disney.ini -> %SystemRoot%\Disney.ini -> [Ver = | Size = 1545 bytes | Modified Date = 5/6/2007 8:22:20 PM | Attr = ]
Downloaded Installations -> %SystemRoot%\Downloaded Installations -> [Folder | Modified Date = 5/4/2007 1:00:58 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 5/24/2007 5:30:06 PM | Attr = S]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 5/9/2007 6:47:54 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 5/9/2007 6:48:40 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 5/23/2007 8:16:26 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 5/20/2007 2:49:28 PM | Attr = HS]
ka.ini -> %SystemRoot%\ka.ini -> [Ver = | Size = 94 bytes | Modified Date = 5/15/2007 10:25:04 AM | Attr = ]
network diagnostic -> %SystemRoot%\network diagnostic -> [Folder | Modified Date = 5/20/2007 9:40:34 AM | Attr = ]
PowerReg.dat -> %SystemRoot%\PowerReg.dat -> [Ver = | Size = 221 bytes | Modified Date = 5/22/2007 8:56:06 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 5/25/2007 6:31:32 PM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 5/4/2007 1:54:36 AM | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 5/20/2007 10:26:06 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 5/24/2007 5:30:28 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 5/20/2007 10:56:38 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 5/25/2007 10:02:58 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 679 bytes | Modified Date = 5/9/2007 6:46:16 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 5/4/2007 9:25:02 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 5/25/2007 10:02:16 AM | Attr = H ]
5642.bat -> %System32%\5642.bat -> [Ver = | Size = 167 bytes | Modified Date = 5/4/2007 1:08:42 AM | Attr = ]
avgwlntf.dll -> %System32%\avgwlntf.dll -> GRISOFT, s.r.o. [Ver = 7.5.0.446 | Size = 9216 bytes | Modified Date = 5/20/2007 10:27:18 AM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 5/20/2007 10:16:54 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 5/24/2007 5:30:04 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 5/23/2007 8:16:18 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 5/20/2007 10:27:18 AM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 208896 bytes | Modified Date = 5/7/2007 7:59:58 AM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Modified Date = 5/9/2007 6:42:50 PM | Attr = ]
MSINET.oca -> %System32%\MSINET.oca -> [Ver = | Size = 29184 bytes | Modified Date = 4/26/2007 12:30:14 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 54280 bytes | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 384596 bytes | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 442244 bytes | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
SBO -> %System32%\SBO -> [Folder | Modified Date = 5/19/2007 9:26:52 PM | Attr = ]
setup9x.exe -> %System32%\setup9x.exe -> w00t [Ver = 1.00 | Size = 32768 bytes | Modified Date = 5/4/2007 1:07:48 AM | Attr = ]
smpi1 -> %System32%\smpi1 -> [Folder | Modified Date = 5/19/2007 9:27:00 PM | Attr = ]
taskkill.exe -> %System32%\taskkill.exe -> [Ver = | Size = 0 bytes | Modified Date = 5/4/2007 1:07:44 AM | Attr = ]
vbzip10.dll -> %System32%\vbzip10.dll -> Info-ZIP [Ver = 2.3 | Size = 147456 bytes | Modified Date = 5/4/2007 1:07:34 AM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 5/25/2007 10:03:28 AM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.467 | Size = 777984 bytes | Modified Date = 5/20/2007 10:27:14 AM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 5/20/2007 10:27:14 AM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 5/20/2007 10:27:16 AM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 5/20/2007 10:27:18 AM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.447 | Size = 19840 bytes | Modified Date = 5/20/2007 10:27:16 AM | Attr = ]
core.cache.dsk -> %System32%\drivers\core.cache.dsk -> [Ver = | Size = 193055 bytes | Modified Date = 5/4/2007 1:08:26 AM | Attr = ]
core.sys -> %System32%\drivers\core.sys -> [Ver = | Size = 72320 bytes | Modified Date = 5/4/2007 1:08:24 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.0.34 | Size = 16121856 bytes | Modified Date = 9/20/2004 4:20:44 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/16/2003 2:40:04 AM | Attr = ]
PTech , -> %System32%\igfxhcsy.lhp -> [Ver = | Size = 59914 bytes | Modified Date = 8/20/2004 4:56:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/15/2003 9:41:44 PM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.467 | Size = 777984 bytes | Modified Date = 5/20/2007 10:27:14 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]

< End of report >

#8 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 25 May 2007 - 06:57 PM

There is 2 kind of pop ups i am getting. One is a normal sized and looking web page. The url is listed below.. It goes to that and says "it can not find/ connect to site" Once in a while it will get past this link below and forward on to many different sites of advertisement.

[url=http://url.cpvfeed.com/cpv.jsp?p=110830&ip=64.53.197.85&url=http%3A%2F%2Fwww.yahoo.com%2F&selectedKeyword=yahoo&selectedListingId=3585589]http://url.cpvfeed.com/cpv.jsp?p=110830&am...stingId=3585589 /url]

The other pop-up i am getting is smaller and lands in the middle of the screen. It has no url or a place to type one in. It normally shows up when i do any kind of search and it give me options on that pop up for what ever it is im searching for. I have not downloaded any search engines or tool bars =google=yahoo, etc. So im not sure where it came from. Maybe i got to find spam free porn sites lol..

As i was typing this post this came up...

[url=http://url.cpvfeed.com/cpv.jsp?p=110830&ip=64.53.197.85&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fforums%2Findex.php%3Fshowtopic%3D92861%26st%3D0%26gopid%3D530283%26%23entry530283&selectedKeyword=ron&selectedListingId=6356278]http://url.cpvfeed.com/cpv.jsp?p=110830&am...stingId=6356278/url]

One both links above..i deleted the " [ " at the end of the link so it would show it all in the post without you having to click on the link..

Edited by UNCLE_CT, 25 May 2007 - 07:00 PM.


#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 AM

Posted 25 May 2007 - 07:56 PM

Hi UNCLE_CT. The ads are coming from a driver related to Zedo and cpvfeed.com. Let's see if we can't clean this up.

First, please print these directions so they will be available to you (we will be rebooting into Safe Mode during the fix).

Next, follow the steps below in order:

Step #1

Download AVG anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen, under "How to act" select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Step #2

Now start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {EBE3E634-1C1F-42c2-A00D-81AFEDE78438} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
[Files/Folders - Created Within 30 days]
NY -> setup9x.exe -> %System32%\setup9x.exe
NY -> smpi1 -> %System32%\smpi1
NY -> core.cache.dsk -> %System32%\drivers\core.cache.dsk
[Files/Folders - Modified Within 30 days]
NY -> setup9x.exe -> %System32%\setup9x.exe
NY -> smpi1 -> %System32%\smpi1
NY -> core.cache.dsk -> %System32%\drivers\core.cache.dsk
NY -> core.sys -> %System32%\drivers\core.sys
[Empty Temp Folders]
[Reboot]


The fix should only take a very short time You will be asked to reboot when the fix is finished. Choose Yes and reboot into Safe Mode as shown below.

Reboot into Safe Mode by doing the following:
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Launch AVG Anti-Spyware by double-clicking the icon on your desktop.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    • IMake sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the "Apply all actions" button
    Note: Don't save the report before you hit the Apply action button.
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Step #4

Post the following back here:
  • a new WinPFind3U report. This time, in the Driver Services group change the selection to Non-Microsoft. Leave all of the other settings as the defaults.
  • the AVG Anti-Spyware report
  • the latest .log file from the WinPFind3u folder (it will be a .log file and have a date_time name in the format mmddyyyy_hhmmss.log)
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 29 May 2007 - 06:54 PM

I donwloaded the AVG and i tried to update it. It has been now 6 hours and has not fully uploaded. I know it dont take that long.

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 AM

Posted 29 May 2007 - 07:25 PM

Hi UNCLE_CT. Try this one instead:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 02 June 2007 - 01:03 PM

These are the 2 items the Dr. Web test found

index[3].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WRM9MDEB;VBS.Psyme.401;Deleted.;

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Deleted.;

I am still getting the same random windows popping up. So for no changes.

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 AM

Posted 02 June 2007 - 08:21 PM

Hi UNCLE_CT. Let's see the WinPFind3u fix log and the new scan report.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 UNCLE_CT

UNCLE_CT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 05 June 2007 - 09:57 AM

This seemed to fix my problems,

Here is the "WinPFind3" new log file.

WinPFind3 logfile created on: 6/5/2007 9:47:54 AM
WinPFind3U by OldTimer - Version 1.0.38 Folder = C:\Documents and Settings\Owner\Desktop\New Folder\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

247.48 Mb Total Physical Memory | 83.02 Mb Available Physical Memory | 33.54% Memory free
606.32 Mb Paging File | 371.18 Mb Available in Paging File | 61.22% Paging File free
Paging file location(s): C:\pagefile.sys 372 744;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 58.46 Gb Free Space | 82.99% Space Free
Drive D: | 4.07 Gb Total Space | 0.69 Gb Free Space | 16.98% Space Free
Drive E: | 446.08 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
F: Drive not present or media not loaded

Computer Name: YOUR-2S4KN5K0H3
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 10/7/2006 7:20:00 AM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 9:13:20 AM | Attr = ]
pokerstars.exe -> %ProgramFiles%\PokerStars\PokerStars.exe -> PokerStars [Ver = 2.1.8.8 | Size = 3651104 bytes | Modified Date = 5/7/2007 11:54:06 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\New Folder\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 9:13:20 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Disabled | Stopped] -> %System32%\hpzipm12.exe -> HP [Ver = 7, 0, 0, 0 | Size = 65795 bytes | Modified Date = 1/5/2004 2:27:32 AM | Attr = ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.1.6 | Size = 206552 bytes | Modified Date = 4/5/2005 12:17:22 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 10/7/2006 7:20:00 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 9/28/2006 9:13:28 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> \blank.htm ->
HKCU: Search Page -> http://www.msn.com/access/allinone.asp ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{C4B24B45-B772-450A-8E6C-A37195A37C21} -> (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.6.2 | Size = 81920 bytes | Modified Date = 1/12/2005 2:54:56 PM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{233C1507-6A77-46A4-9443-F871F945D258} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->


[Files/Folders - Created Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 5/20/2007 11:04:35 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 259575808 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 5/23/2007 1:10:29 PM | Attr = ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Created Date = 5/23/2007 7:16:13 AM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 5/9/2007 5:43:25 PM | Attr = H ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Created Date = 5/19/2007 5:16:54 PM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Created Date = 5/9/2007 5:42:48 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 5/29/2007 2:04:32 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 5/21/2007 9:08:40 AM | Attr = HS]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 6/4/2007 9:27:32 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 259575808 bytes | Modified Date = 6/5/2007 8:43:48 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/2/2007 5:01:10 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 5/23/2007 2:10:30 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 6/4/2007 9:26:14 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 5/23/2007 8:15:50 AM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 5/23/2007 8:16:16 AM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/9/2007 6:43:28 PM | Attr = H ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 5/19/2007 10:00:52 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 6/5/2007 8:43:50 AM | Attr = S]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 5/9/2007 6:41:26 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 5/24/2007 5:30:06 PM | Attr = S]
eReg.dat -> %SystemRoot%\eReg.dat -> [Ver = | Size = 1218 bytes | Modified Date = 6/2/2007 5:11:12 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 5/9/2007 6:47:54 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 5/9/2007 6:48:40 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 5/23/2007 8:16:26 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 5/20/2007 2:49:28 PM | Attr = HS]
ka.ini -> %SystemRoot%\ka.ini -> [Ver = | Size = 94 bytes | Modified Date = 5/15/2007 10:25:04 AM | Attr = ]
network diagnostic -> %SystemRoot%\network diagnostic -> [Folder | Modified Date = 5/20/2007 9:40:34 AM | Attr = ]
PowerReg.dat -> %SystemRoot%\PowerReg.dat -> [Ver = | Size = 221 bytes | Modified Date = 5/22/2007 8:56:06 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 6/4/2007 6:50:48 PM | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 5/26/2007 5:57:20 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 6/4/2007 9:23:18 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 5/20/2007 10:56:38 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 6/5/2007 8:44:12 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 679 bytes | Modified Date = 5/9/2007 6:46:16 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 6/5/2007 8:43:52 AM | Attr = H ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 5/20/2007 10:16:54 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 6/4/2007 11:25:42 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 5/23/2007 8:16:18 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 5/29/2007 3:04:34 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 208896 bytes | Modified Date = 5/7/2007 7:59:58 AM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 118 bytes | Modified Date = 5/9/2007 6:42:50 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 54280 bytes | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 384596 bytes | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 442244 bytes | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
SBO -> %System32%\SBO -> [Folder | Modified Date = 5/19/2007 9:26:52 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 5/16/2007 2:01:40 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 6/5/2007 8:44:30 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.0.34 | Size = 16121856 bytes | Modified Date = 9/20/2004 4:20:44 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/16/2003 2:40:04 AM | Attr = ]
PTech , -> %System32%\igfxhcsy.lhp -> [Ver = | Size = 59914 bytes | Modified Date = 8/20/2004 4:56:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/15/2003 9:41:44 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]

< End of report >

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 AM

Posted 05 June 2007 - 11:40 AM

Hi UNCLE_CT. Everything looks fine. I don't see anymore signs of malware.

You are good to go :thumbsup:

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users