Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Troj Vundo.Be Help!

Started by johnbon07 , Aug 03 2006 09:08 PM

  • Please log in to reply

#1
johnbon07
Posted 03 August 2006 - 09:08 PM

johnbon07

    New Member

  • Member
  • Pip
  • 5 posts
Here is my HiJackThis log. I am using Windows XP. The trojan I have is named TROJ VUNDO.BE. Please help me get rid of the annoying thing. I've run AVG free anti-virus scan and it didn't get rid of it. I also have trend micro PC-CILLIN and it sucks. Let me know if I need to include anything else with this log.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:19 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\AsstCommon\motmon.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [fc5e9f5d.exe] C:\WINDOWS\system32\fc5e9f5d.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [aldefr ere service] tay0x.exe
O4 - HKCU\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [fc5e9f5d.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\fc5e9f5d.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements

#2
Noviciate
Posted 04 August 2006 - 02:31 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Your HJT log is missing a chunk of Running Processes.
Rename hijackthis.exe to lookfor.exe and post a fresh HJT log - Some infections target hijackthis.exe when it is trying to produce a log and this is one way round it.

Also, run HJT and click on Open the Misc Tools section.
In the next window, click on Open Uninstall Manager...
In the final window, click on Save list... and save it to your Desktop.
Copy and paste the file uninstall_list.txt into your next reply.
  • 0

#3
johnbon07
Posted 04 August 2006 - 04:25 PM

johnbon07

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is the new HJT log and uninstall_list.txt file.

Logfile of HijackThis v1.99.1
Scan saved at 5:28:11 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {275731FF-C322-40C3-87E7-E432069C69F7} - C:\WINDOWS\system32\wvwwt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g1714124.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\AsstCommon\motmon.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [fc5e9f5d.exe] C:\WINDOWS\system32\fc5e9f5d.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [aldefr ere service] tay0x.exe
O4 - HKCU\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [fc5e9f5d.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\fc5e9f5d.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winilb32 - winilb32.dll (file missing)
O20 - Winlogon Notify: wvwwt - C:\WINDOWS\system32\wvwwt.dll
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Uninstall_list.txt File:

Adobe Acrobat 5.0
Adobe Image Viewer Plugin 4.0
Adobe Photoshop Album
Adobe Photoshop Elements 2.0
AOL Instant Messenger
AVG Free Edition
Belkin Wireless Client Utility
Desktop Weather by The Weather Channel
Fujitsu Hotkey Utility
Fujitsu Service Assistant
Full Tilt Poker
GDP 9
HijackThis 1.99.1
hp deskjet 5550 series
hp deskjet 5550 series (Remove only)
Install 6.1 Winbios
iPod for Windows 2006-03-23
iTunes
Kinkade Favorites Screen Saver
LifeBook Application Panel
LiveUpdate 2.0 (Symantec Corporation)
Lucent Technologies Soft Modem AMR
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Standard Edition 2003
MSN Music Assistant
Norton Ghost 9.0
PC-Doctor for Windows
PC-Doctor WINDSAPI SDK
PRISM 11Mbps Wireless LAN for Windows
Quicken 2002 New User Edition
QuickTime
RTLSetup
Security Panel Application
Security Panel Application for Supervisor
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SigmaTel AC97 Audio Drivers
Spybot - Search & Destroy 1.3
Trend Micro PC-cillin Internet Security 2005
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Weather Services
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Yahoo! Photos Easy Upload Tool 1v6
Yahoo! Toolbar

Edited by johnbon07, 04 August 2006 - 04:29 PM.

  • 0

#4
Noviciate
Posted 04 August 2006 - 05:34 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
First things first - the rule is one anti-virus and one firewall to a PC.
You have both AVG Free Edition and Trend Micro PC-cillin Internet Security 2005 installed. Pick you favourite and uninstall the other.
If you don't like Trend Micro, you will need a replacement firewall - there are a couple of free ones available.
Zone Alarm: Available here.
Kerio: Available here.

It is important to note that you should only have one firewall installed at a time, but you can download both to your Desktop and install each in turn to see which one you prefer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, your log is not showing any running processes at all - there should be a list of them before the lines that start with R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =. Are you editting the log at all?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll post this in two parts as it's easier for me.

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download VundoFix.exe from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying VundoFix will close and re-open in a minute or less - Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.*
  • Once the scan is complete, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
* Should Vundo not re-open, reboot your PC and try again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido anti-spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating Ewido: below.

* Please note that these instructions are for the new version - Ewido anti-spyware. If you have the old version - Ewido anti-malware and it is the:
  • paid-for version - you will need to go here and obtain an updated license code before you upgrade.
  • free version - you will need to uninstall it and reboot before installing the new version.
Double click the ewido-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.
  • Updating Ewido:

    By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either Ewido will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed Ewido, double click ewido-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close Ewido anti-spyware.

Ewido anti-spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.

2) You will need to know how to boot into Safe Mode.
Instructions can be found here.

3) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g1714124.dll (file missing)

O4 - HKLM\..\Run: [fc5e9f5d.exe] C:\WINDOWS\system32\fc5e9f5d.exe
O4 - HKCU\..\Run: [fc5e9f5d.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\fc5e9f5d.exe

O20 - Winlogon Notify: winilb32 - winilb32.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Ensure that ALL open Windows / Programs / Folders are closed and then run Ewido anti-spyware.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that Ewido has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When Ewido has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\ewido anti-spyware 4.0\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close Ewido Anti-Spyware.

4) Remove any/all of the following files/folders that you can find:

Files

C:\WINDOWS\system32\fc5e9f5d.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\fc5e9f5d.exe

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

5) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

6) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

7) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

8) Boot into Normal Mode.

Post a new HJT log, the contents of C:\vundofix.txt, the Ewido log AND a description of how your PC is running.
  • 0

#5
johnbon07
Posted 05 August 2006 - 10:59 AM

johnbon07

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, about my HJT log. I'm not editing anything out of it. Is there a setting i must change in order to get the specific scan you are needing? anyways, i went ahead with your instructions. they were very clear. I only got confused at one part. The segment that told me to navigate to c:\windows\temp and delete all files there. Am I supposed to delete EVERYTHING within that folder or just the specified files (i.e. C:\Windows\system32\fc5e9f5d.exe)? Because there looks to be a lot of stuff in there and I don't want to go aimlessly deleting things. So, if i do indeed need to delete EVERYTHING from c:\windows\temp as well as c:\documents and settings\username\local settings\temp, please let me know.
Also, should I have any trouble deleting ewido or vundo.exe now that I am thru with it?
Anyways, here is my new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 11:39:15 AM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41F95D2D-94A0-46DC-8665-D529498E0834} - C:\WINDOWS\system32\wvwwt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\AsstCommon\motmon.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [aldefr ere service] tay0x.exe
O4 - HKCU\..\Run: [MSNPluginSrvcs] p6.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Owner\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Here are the contents of VundoFix:


VundoFix V5.1.6

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 3:21:11 AM 8/5/2006

Listing files found while scanning....

C:\windows\system32\wvwwt.dll
C:\windows\system32\twwvw.ini
C:\windows\system32\twwvw.bak1
C:\windows\system32\twwvw.bak2
C:\windows\system32\twwvw.ini2
C:\windows\system32\twwvw.tmp

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\wvwwt.dll
C:\windows\system32\wvwwt.dll Has been deleted!

Attempting to delete C:\windows\system32\twwvw.ini
C:\windows\system32\twwvw.ini Has been deleted!

Attempting to delete C:\windows\system32\twwvw.bak1
C:\windows\system32\twwvw.bak1 Has been deleted!

Attempting to delete C:\windows\system32\twwvw.bak2
C:\windows\system32\twwvw.bak2 Has been deleted!

Attempting to delete C:\windows\system32\twwvw.ini2
C:\windows\system32\twwvw.ini2 Has been deleted!

Attempting to delete C:\windows\system32\twwvw.tmp
C:\windows\system32\twwvw.tmp Has been deleted!

Performing Repairs to the registry.
Done!


Here is the Ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:02:43 AM 8/5/2006

+ Scan result:



C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
HKU\S-1-5-21-2647865256-1256799619-874574627-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned with backup (quarantined).
C:\VundoFix Backups\wvwwt.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-2647865256-1256799619-874574627-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end

My PC seems to be running just fine, but then again, what do I know. Obviously if I knew enough I wouldn't have to come here for help. LOL

Anyways, please respond to my afore mentioned inquiries. Thanks
  • 0

#6
Noviciate
Posted 05 August 2006 - 01:04 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
The Temp folders contain files that are temporary in nature - makes sense doesn't it. :whistling:
If an application needs a file for a short time, it places it in one of the Temp folders and should, in theory, delete it once it has finished with it. As you have found, a lot of stuff just gets dumped!
Malware also likes to hide stuff in these folders which is why they get cleaned out as part of an overall clean up.
If any of these files are required they will just be recreated so don't worry about removing anything important.
Remove all the files you can find in Safe Mode - just don't delete the folders themselves!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {41F95D2D-94A0-46DC-8665-D529498E0834} - C:\WINDOWS\system32\wvwwt.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Also, should I have any trouble deleting ewido or vundo.exe now that I am thru with it?

VundoFix can be deleted as it is important to always use the latest version when fixing this particular nasty.
It is your choice whether you keep Ewido or not, but it will uninstall via Add/Remove Programs quite easily.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I don't know why your HJT log is missing the Running Processes so i've posted a question elsewhere and am waiting for a smart-arse to get back to me.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

EDIT:

1) Create a folder in the root of your C: drive and name it Blacklight.
A brief explanation of how to do this can be found here.

2) Download F-Secure's BlackLight from here and save it into this folder.

3) Log off from the internet and disconnect your modem cable.

4) Go to Start > Run, copy and paste the following into the text box and hit OK:
"C:\Blacklight\blbeta.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click OK.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved in the Blacklight folder, copy and paste this into your next post.

Edited by Noviciate, 05 August 2006 - 01:52 PM.

  • 0

#7
Noviciate
Posted 05 August 2006 - 02:58 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I've just had it ponted out to me that there are a couple of very nasty files in your log that i've managed to overlook- thanks random/random.
I got focused on Vundo and missed them completely - Sorry! :whistling:

The two nasties in question are W32/Rbot-XS and W32/Rbot-VJ - a definition of a backdoor trojan can be found here.

You need to deal with the possibility that any personal information stored on your PC or entered via your PC may now be known to a third party - this includes any passwords, account details, credit card numbers etc...
You should contact your bank and check for any unauthorized access to your funds.
You should also refrain from using this PC for any online banking or shopping until it can be cleaned up.

Download winpfind2.zip by OldTimer from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

Open the WinPFind2 folder that you should now see and double click winpfind2.exe to run it.
  • Click the Run All Scans button at the top.
  • When you see the Scans Complete! message at the bottom left, click the Simple Report button in the bottom right corner.
  • A Notepad window entitled WinPFind2.txt will open - when you close it, a copy will be saved into the WinPFind2 folder.
  • Copy and paste the contents of this file into your next reply, or if it is too big, add it as an attachment.

  • 0

#8
johnbon07
Posted 08 August 2006 - 07:05 PM

johnbon07

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Well, thats dissappointing to learn about the new nasties. What should i do about the newly discovered W32/Rbot-XS and W32/Rbot-VJ?

Here is the Blacklight file.

08/08/06 19:55:10 [Info]: BlackLight Engine 1.0.42 initialized
08/08/06 19:55:10 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/08/06 19:55:10 [Note]: 7019 4
08/08/06 19:55:10 [Note]: 7005 0
08/08/06 19:56:03 [Note]: 7006 0
08/08/06 19:56:03 [Note]: 7011 2040
08/08/06 19:56:04 [Note]: 7026 0
08/08/06 19:56:04 [Note]: 7026 0
08/08/06 19:56:10 [Note]: FSRAW library version 1.7.1019
08/08/06 19:59:01 [Note]: 7007 0


And here is the Winpfind2 file.

Logfile created on: 08/08/2006 20:01
WinPFind2 by OldTimer - Version 1.0.2 Folder = C:\Documents and Settings\Owner\Desktop\winpfind2\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


<Processes>
c:\windows\system32\aniserv.exe - (Airgo Networks, Inc. )
c:\program files\apoint2k\apntex.exe - (Alps Electric Co., Ltd. )
c:\program files\apoint2k\apoint.exe - (Alps Electric Co., Ltd. )
c:\program files\fujitsu\btnhnd\btnhnd.exe - (FUJITSU LIMITED )
\??\c:\windows\system32\csrss.exe - (Microsoft Corporation )
c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
c:\windows\explorer.exe - (Microsoft Corporation )
c:\program files\symantec\norton ghost\agent\ghosttray.exe - (Symantec Corporation )
c:\windows\system32\hkcmd.exe - (Intel Corporation )
c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe - (HP )
c:\program files\internet explorer\iexplore.exe - (Microsoft Corporation )
c:\windows\system32\igfxtray.exe - (Intel Corporation )
c:\program files\fujitsu\fujitsu hotkey utility\indicatoruty.exe - (FUJITSU LIMITED )
c:\program files\ipod\bin\ipodservice.exe - (Apple Computer, Inc. )
c:\program files\itunes\ituneshelper.exe - (Apple Computer, Inc. )
c:\windows\system32\lsass.exe - (Microsoft Corporation )
c:\windows\ltsmmsg.exe - (Lucent Technologies )
c:\program files\common files\microsoft shared\vs7debug\mdm.exe - (Microsoft Corporation )
c:\program files\motive\asstcommon\motmon.exe - (Motive Communications, Inc. )
c:\program files\trend micro\internet security 2005\pccguide.exe - (Trend Micro Incorporated. )
c:\progra~1\trendm~1\intern~1\pcctlcom.exe - (Trend Micro Incorporated. )
c:\program files\symantec\norton ghost\agent\pqv2isvc.exe - (Symantec Corporation )
c:\program files\quicktime\qttask.exe - (Apple Computer, Inc. )
c:\program files\fujitsu\application panel\quicktouch.exe - (FUJITSU LIMITED )
c:\windows\system32\services.exe - (Microsoft Corporation )
\systemroot\system32\smss.exe - (Microsoft Corporation )
c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe - (Microsoft Corporation )
c:\progra~1\trendm~1\intern~1\tmntsrv.exe - (Trend Micro Incorporated. )
c:\progra~1\trendm~1\intern~1\tmpfw.exe - (Trend Micro Inc. )
c:\progra~1\trendm~1\intern~1\tmproxy.exe - (Trend Micro Inc. )
c:\program files\viewpoint\viewpoint manager\viewmgr.exe - (Viewpoint Corporation )
c:\windows\system32\wdfmgr.exe - (Microsoft Corporation )
\??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
c:\documents and settings\owner\desktop\winpfind2\winpfind2\winpfind2.exe - (OldTimer Tools )

<Registry Entries>

Version Info
WinPFind2 by OldTimer - Version 1.0.2 -
Microsoft Windows XP Version = Service Pack 2 -
Internet Explorer Version = 6.0.2900.2180 -

Internet Explorer Settings
Start Page - http://www.microsoft...p...ER}&ar=home
Search Page - http://www.microsoft...amp;ar=iesearch
Default Page - http://www.microsoft...p...&ar=msnhome
Default Search - http://www.microsoft...amp;ar=iesearch
Local Page - C:\windows\system32\blank.htm
Start Page - http://www.google.com/
Search Page - http://www.microsoft...amp;ar=iesearch
Local Page - C:\windows\system32\blank.htm
ProxyEnable - 0
ProxyOverride -

BHO's
{02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo! Companion BHO = C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (Yahoo! Inc. )
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ( )
{53707962-6F74-2D53-2644-206D7942484F} - = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited )

Internet Explorer Bars, Toolbars and Extensions
{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{BE8D0059-D24D-4919-B76F-99F4A2203647} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Companion = C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (Yahoo! Inc. )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Companion = C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (Yahoo! Inc. )
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - 8192 - Reg Data missing or invalid
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8194 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8195 - Windows Messenger
NextId - 8196
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = (File not found))
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\Program Files\AIM\aim.exe (America Online, Inc. )
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )
.spop - = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc. )

Approved Shell Extensions (Non-Microsoft only)
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{48F45200-91E6-11CE-8A4F-0080C81A28D4} - TMD Shell Extension = C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll (Trend Micro Incorporated. )
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{771A9DA0-731A-11CE-993C-00AA004ADB6C} - VBPropSheet = C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll (Trend Micro Incorporated. )
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )

ContextMenuHandlers (Non-Microsoft only)
{48F45200-91E6-11CE-8A4F-0080C81A28D4} - = C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll (Trend Micro Incorporated. )
{48F45200-91E6-11CE-8A4F-0080C81A28D4} - = C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll (Trend Micro Incorporated. )

ColumnHandlers (Non-Microsoft only)

Registry Run Keys
- (File not found))
Apoint - C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd. )
HotKeysCmds - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation )
HPDJ Taskbar Utility - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe (HP )
IgfxTray - C:\WINDOWS\System32\igfxtray.exe (Intel Corporation )
IndicatorUtility - C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe (FUJITSU LIMITED )
iTunesHelper - "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc. )
LoadBtnHnd - C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe (FUJITSU LIMITED )
LoadFujitsuQuickTouch - C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe (FUJITSU LIMITED )
LTSMMSG - LTSMMSG.exe (Lucent Technologies )
MotiveMonitor - C:\Program Files\Motive\AsstCommon\motmon.exe (Motive Communications, Inc. )
Norton Ghost 9.0 - C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe (Symantec Corporation )
pccguide.exe - "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" (Trend Micro Incorporated. )
QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
ViewMgr - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation )
IMAIL - Installed = 1
MAPI - Installed = 1
MSFS - Installed = 1
aldefr ere service - tay0x.exe (File not found))
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
DW4 - (File not found))
MSNPluginSrvcs - p6.exe (File not found))

Startup Lnks
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc. )
desktop.ini - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ( )
desktop.ini - C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ( )

Disabled MSConfig Items

User Agent Post Platform
SV1 -

AppInit DLLs
AppInit_DLLs - (File not found))

Image File Execution Options
Your Image File Name Here without a path - Debugger = ntsd -d

Shell Service Object Delay Load
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

Shell Execute Hooks
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

Shared Task Scheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

Winlogon
UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
Shell - Explorer.exe (Microsoft Corporation )
System - (File not found))
crypt32chain - crypt32.dll (Microsoft Corporation )
cryptnet - cryptnet.dll (Microsoft Corporation )
cscdll - cscdll.dll (Microsoft Corporation )
igfxcui - igfxsrvc.dll (Intel Corporation )
ScCertProp - wlnotify.dll (Microsoft Corporation )
Schedule - wlnotify.dll (Microsoft Corporation )
sclgntfy - sclgntfy.dll (Microsoft Corporation )
SensLogn - WlNotify.dll (Microsoft Corporation )
termsrv - wlnotify.dll (Microsoft Corporation )
WgaLogon - WgaLogon.dll (Microsoft Corporation )
wlballoon - wlnotify.dll (Microsoft Corporation )

DNS Name Servers
{3983B2AD-D2E0-4F3A-BF90-296C414D9280} - (Belkin Wireless Pre-N Notebook Network Card)
{39E49D73-F02B-417C-BB54-479BB3288F44} - (Intersil PRISM Wireless LAN PCI Card)
{547154FB-B5E3-4CF4-862F-1B94CAB5E51F} - ()
{6BF8CB4D-EE19-4799-A487-CD2A6D0D1712} - (Realtek RTL8139/810X Family PCI Fast Ethernet NIC)
{8C2149A2-5A03-4EDC-9776-2C8D47C04659} - (1394 Net Adapter)

Winsock2 Catalogs (Non-Microsoft only)

Protocol Handlers (Non-Microsoft only)
ipp - (File not found))
ipp - (File not found))
msdaipp - (File not found))
msdaipp - (File not found))

Protocol Filters (Non-Microsoft only)

<Services>
Airgo Networks NIC Service - ANISERVICE - Automatic - Running - C:\WINDOWS\System32\aniServ.exe (Airgo Networks, Inc. )
Windows Audio - AudioSrv - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Background Intelligent Transfer Service - BITS - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Cryptographic Services - CryptSvc - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
DCOM Server Process Launcher - DcomLaunch - Automatic - Running - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation )
DHCP Client - Dhcp - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
DNS Client - Dnscache - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation )
Error Reporting Service - ERSvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Event Log - Eventlog - Automatic - Running - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
COM+ Event System - EventSystem - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Fast User Switching Compatibility - FastUserSwitchingCompatibility - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Help and Support - helpsvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
iPodService - iPodService - On Demand - Running - C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc. )
Infrared Monitor - Irmon - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Server - lanmanserver - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Workstation - lanmanworkstation - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
TCP/IP NetBIOS Helper - LmHosts - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Machine Debug Manager - MDM - Automatic - Running - "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (Microsoft Corporation )
Network Connections - Netman - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Network Location Awareness (NLA) - Nla - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Norton Ghost - Norton Ghost - Automatic - Running - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe (Symantec Corporation )
Trend Micro Central Control Component - PcCtlCom - Automatic - Running - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (Trend Micro Incorporated. )
Plug and Play - PlugPlay - Automatic - Running - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
IPSEC Services - PolicyAgent - Automatic - Running - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation )
Protected Storage - ProtectedStorage - Automatic - Running - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Remote Access Connection Manager - RasMan - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Remote Procedure Call (RPC) - RpcSs - Automatic - Running - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation )
Security Accounts Manager - SamSs - Automatic - Running - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Task Scheduler - Schedule - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Secondary Logon - seclogon - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
System Event Notification - SENS - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Shell Hardware Detection - ShellHWDetection - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Print Spooler - Spooler - Automatic - Running - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation )
SSDP Discovery Service - SSDPSRV - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Image Acquisition (WIA) - stisvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k imgsvc (Microsoft Corporation )
Telephony - TapiSrv - On Demand - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Terminal Services - TermService - On Demand - Running - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation )
Themes - Themes - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Trend Micro Real-time Service - Tmntsrv - Automatic - Running - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (Trend Micro Incorporated. )
Trend Micro Personal Firewall - TmPfw - Automatic - Running - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (Trend Micro Inc. )
Trend Micro Proxy Service - tmproxy - Automatic - Running - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (Trend Micro Inc. )
Distributed Link Tracking Client - TrkWks - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Windows User Mode Driver Framework - UMWdf - Automatic - Running - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation )
Windows Time - W32Time - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
WebClient - WebClient - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Management Instrumentation - winmgmt - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Security Center - wscsvc - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Automatic Updates - wuauserv - Automatic - Running - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Wireless Zero Configuration - WZCSVC - Automatic - Running - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )

<Files>

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/25/2002 05:12 | Attr = HS])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Owner\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/25/2002 05:12 | Attr = HS])

DPF files
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - - CodeBase = http://download.mcaf...84/mcinsctl.cab
{74CD40EA-EF77-4BAD-808A-B5982DA73F20} - - CodeBase = http://yax-download.....cab?refid=1123
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - - CodeBase = http://download.mcaf...,21/mcgdmgr.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.ma...ash/swflash.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

Edited by johnbon07, 08 August 2006 - 07:33 PM.

  • 0

#9
Noviciate
Posted 09 August 2006 - 01:13 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I think that your anti-virus has probably dealt with these two nasties already judging from the WinPFind log but i'd like a second opinion.

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O4 - HKCU\..\Run: [aldefr ere service] tay0x.exe
O4 - HKCU\..\Run: [MSNPluginSrvcs] p6.exe

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Remove any/all of the following files/folders that you can find:

Files

tay0x.exe
p6.exe

Click on Start,
Click on Search
Click on 'All files and folders'
In the 'All or part of the file name:' textbox, enter the above file name(s) and click on Search
Right click on any entries that are found and from the menu that appears, click on Delete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IMPORTANT - Go to Add/Remove Programs and uninstall any previous versions of Kaspersky Online Scanner before you proceed.

Go here and click the Kaspersky Online Scanner button - you will need to use I.E.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
  • 0

#10
johnbon07
Posted 10 August 2006 - 05:55 AM

johnbon07

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK, so I have some bad news. After all this, it was during the Kaspersky scan that a virus was discovered on my computer. So it looks like the trojan is gone but now there is this new problem. Will it ever end? lol So, I followed your instructions on everything. I couldn't find any trace of either file in step 2. I ran Kaspersky and here is the first running of it.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 10, 2006 2:21:09 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/08/2006
Kaspersky Anti-Virus database records: 213718
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 45321
Number of viruses found: 3
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:53:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\USDR6_0001_D17M1107\installer.exe Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\871.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cu skipped
C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\wvwwt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5D9EB82F-A325-42CE-B7E3-B28C7C716621}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

I ran it twice b/c the first time i ran it, i had my Trend Micro security running and thats when the viruses were discovered. So after it was done, I disabled my security stuff, and ran it again. It still says there were 3 viruses. The virus name is and is located in C:\Documents and Settings\Owner\Local Settings\Temp\USDR6_0001_D17M1107\installer.exe
Virus name: ADW_SYSDOC.A

Also, here is a latest HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 6:46:50 AM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aniServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\AsstCommon\motmon.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Hope this helps. And I pray that you have a solution lol.
  • 0

#11
Noviciate
Posted 10 August 2006 - 02:02 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I would have normally advised running a Ewido scan in Safe Mode but I see that you have uninstalled it.

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) You will need to set Windows to show All Hidden Files and Folders
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

2) You will also need to know how to boot into Safe Mode.
Instructions can be found here.

3) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Go to Start > Run, enter cmd into the text box and click OK.
Copy and paste each line below into the Command Prompt window pressing <ENTER> where indicated:

cd c:\windows\downloaded program files <ENTER>
del gdnUS2339.exe <ENTER>

Close the window.

4) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

5) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

6) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

7) Boot into Normal Mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That should take care of the last of your problems. I want you to run your PC as normal for a few days. When you are happy that everything is fine, do the following:

Update your anti-virus program,
Disable System Restore,
Boot into Safe Mode,
Scan your computer for viruses.
When you get the all clear, reboot into Normal Mode.
Re-enable System Restore,
Create a Restore Point.
This will give a clean Restore Point should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP