Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vmundo+? [RESOLVED]

Started by TheAesthetic , Aug 30 2006 02:40 PM

  • This topic is locked This topic is locked

#1
TheAesthetic
Posted 30 August 2006 - 02:40 PM

TheAesthetic

    Member

  • Member
  • PipPip
  • 32 posts
I've posted here before and got great help and brought my system back to almost 100%. Things were doing well and then it seems out of no where a strange problem occoured. I've scanned and followed the steps and seemed to have worked and removed the threats but they either return after a reboot or they arent the main problem. I'm running windows xp on a dell inspiron. Virus scanner shows Vmundo, removal does not work and i've taken steps to remove from registry but the file is not found in registry so i'm stumped. This may not even be the main infection.

Main issue:
I use IE mozilla will not work for whatever reason. I have never had a problem with ie like this before and it seemed to happen out of the blue. Certain sites will load as a blank page. Including this page and many other forums/self help pages/reference pages(wiki,dictionaries, other encyclopedias) + many others. The page will stop loading and it will be completely white. No messages no pop-ups, nothing.
Also it seems the whole computer is lagging more so than usual(I just cleared it of all dust and cleaned up all idle space) IE and other programs will close at very random intervals as well.
Without further adeiu here is my most recent HJT logfile. Thanks in advace for all help:

Logfile of HijackThis v1.99.1
Scan saved at 4:27:28 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Daniel\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127102990874
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I appreciate all help and thank you again.
  • 0

Advertisements

#2
cfa-ddg2
Posted 31 August 2006 - 06:25 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello TheAesthetic...welcome back!

Sorry about your recent problems...the problem now is not Vundo but rather Haxdoor...let me know why you think Vundo might still be a problem for you.

Let's get rid of the Haxdoor:

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.

  • 0

#3
TheAesthetic
Posted 01 September 2006 - 04:03 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Well i'm doing said steps now. I believed i had the Virtumonde because after running ewido it found two files with the name in it. i removed them but they would show up again after reboot. Searched where they would be in the registry but couldnt find said files to delete. I'll see how this works out.
Would said infection somehow cause my cd-rom to stop working entirely? that was another problem i had that seemed to pop up just about the same time.
I'll let you know how i make out and thanks for the help!
  • 0

#4
TheAesthetic
Posted 01 September 2006 - 04:10 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
HAXFIX logfile - by Marckie
______________
version 4.14
Fri 09/01/2006 18:09:09.31

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
sepp

checking for matching services....
matching services found
Aspi32
CmBatt
seppgs
seppgm

checking for matching safeboot services....
matching safeboot services found
seppgs.sys
seppgm.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....


Finished
  • 0

#5
cfa-ddg2
Posted 01 September 2006 - 06:29 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello TheAesthetic....great!

Option 2 autofix
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile along with a new HijackThis log.

  • 0

#6
TheAesthetic
Posted 03 September 2006 - 05:08 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
haxfix:
HAXFIX logfile - by Marckie
--------------
version 4.14
Sun 09/03/2006 18:50:38.31

--- Auto Haxdoorfix ---


searching for services....
service seppgs found
[SWSC] DeleteService SUCCESS
service seppgm found
[SWSC] DeleteService SUCCESS


--- Goldunfix ---


searching for files:

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for notifykeys

notifykey seppgs not found


searching for services

service seppgs not found
service seppgm not found


searching for safeboot services

safeboot service seppgs.sys not found
safeboot service seppgm.sys not found


searching for files

seppgs.dll exists
deleting seppgs.dll
seppgs.dll has been deleted

seppgs.sys exists
deleting seppgs.sys
seppgs.sys has been deleted

seppgm.sys exists
deleting seppgm.sys
seppgm.sys has been deleted


checking for other files

qz.dll exists
deleting qz.dll
qz.dll has been deleted

qz.sys exists
deleting qz.sys
qz.sys has been deleted

83ghh.ini exists
deleting 83ghh.ini
83ghh.ini has been deleted

aaaxcfdwq.dat exists
deleting aaaxcfdwq.dat
aaaxcfdwq.dat has been deleted


checking for a3d files

ps.a3d
deleting a3d files
a3d files are deleted


Finished


Latest hjt:
Logfile of HijackThis v1.99.1
Scan saved at 6:59:57 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daniel\Desktop\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127102990874
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

can access websites again though i dont know if i have lingering problems still! thanks for all the help so far!
  • 0

#7
cfa-ddg2
Posted 03 September 2006 - 05:21 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello theAesthetic...

Well the HJT appears clean...are you having any computer issues?

Your Java is now ot of date:


1. Update Java and Remove old Java Versions
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.<== scroll down the list to find THIS entry
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Remove older Java Versions:
  • Close any programs you may have running - especially your web browser.
  • Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
Install latest Java Version:
  • From your desktop, double-click on jre-1_5_0_08-windows-i586-p to install the newest version.
2. If you are still having some issues with your computer, let me know what they are and do Panda's ActiveScan:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
If you do the Panda Scan, post the results here with another HJT log...if your computer is doing well adn you don't feel the need to run the scan, let me know... :whistling:
  • 0

#8
TheAesthetic
Posted 03 September 2006 - 09:18 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
unfortionately i have a terribly hard time with updates on my laptop. there seem to be issues with my connectivity which wont allow me to make certain updates, especially when dealing with https or other security sites. I've tried addressing the issue many times but i cant seem to find the proper solution. Basically whenever i want to make an update (java/windows/norton/adaware etc..) i am unable to connect to the server and i'll get "cannot find server" or "unable to make a connection". Which is the problem i am having now. i'm doing the panda scan now and i'll let you know the results. Unfortionatly i dont know another way to recieve updates and it's been a problem for quite a while which appears to be hopeless. Thanks for help so far, everything seems to be running alot better, though the cd-rom is still out of comission, maybe i'll have to reinstall drivers or something?
i'll post the log soon. thanks.
  • 0

#9
TheAesthetic
Posted 03 September 2006 - 09:40 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Incident Status Location

Virus:Trj/Downloader.KCO Disinfected Operating system
Spyware:spyware/virtumonde Not disinfected Windows Registry

Log for panda scan. there is that stray virtumonde again. with ewido it picks up two virtumonde files. it removes them then they find their way back in. i havnt been able to remove manually either.
  • 0

#10
cfa-ddg2
Posted 04 September 2006 - 03:30 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts

unfortionately i have a terribly hard time with updates on my laptop. there seem to be issues with my connectivity which wont allow me to make certain updates, especially when dealing with https or other security sites. I've tried addressing the issue many times but i cant seem to find the proper solution. Basically whenever i want to make an update (java/windows/norton/adaware etc..) i am unable to connect to the server and i'll get "cannot find server" or "unable to make a connection". Which is the problem i am having now. i'm doing the panda scan now and i'll let you know the results. Unfortionatly i dont know another way to recieve updates and it's been a problem for quite a while which appears to be hopeless. Thanks for help so far, everything seems to be running alot better, though the cd-rom is still out of comission, maybe i'll have to reinstall drivers or something?
i'll post the log soon. thanks.


Hello theAesthetic...

Are you only having problems with the secure sites and all others are working OK?

Is the problem still the same from your last topic I helped you in? I remember we reset the hosts file with Hoster correct? I think I also referred you to a mvps page which didn't help either?

I'm not sure what we can do with the Panda Virtumonde finding...I've gone on registry hunts for those listings and have never had success finding them. Miekiemoes is a very well respected malware authority and a teacher here at G2G...here is what she has to say about those entries:

Concerning the entries that Panda found:

Spyware:spyware/virtumonde Not disinfected Windows Registry

We actually can't do anything with this info. Because Panda doesn't show as well where in the registry it is located.
Performing a regsearch on virtumonde doesn't make much sense, because that's the name of the infection they are giving, not how it would appear in the registry.
I've had already a couple of cases before where I tried to find out where Panda was finding these entries. Performed regsearches on them, but no luck.
A couple of times, I've also seen that the Panda free scan actually finds these entries in the ZoneMap\Domains part of the registry. Where these keys are set with data dword:00000004.. which actually means that these domains are blocked. A lot of spywarescanners set these entries to block these domains, which is a good thing ofcourse.
When you delete those keys, Panda free online scan won't find these entries anymore.... but you are not supposed to delete these keys anyway, because it's with a purpose they are set there.

Panda has two Online scanners....a free one and a professional one.
You can find here what the difference is below in the comparison table:
http://www.pandasoft...ucts/activescan

The Pro online scan isn't free. What happens if you scan with the free scan and similar entries appear like "Not disinfected Windows Registry"? Well, they advise to buy the Pro scan to get rid of them.
I've been researching this issue before and found some threads where some users *did pay for the Pro scan to get rid of these "Not disinfected Windows Registry"... and what happened? Those entries weren't even found in the Pro scan. So, they scanned again with the Free online scan -- and those entries were back.

That's why I started to ignore these entries from now on, because I have a feeling that it is a marketing trick here. Because some reports from the Panda online scans DO show where it is exactly located in the registry.. so why won't they show it now?


If Panda told me the exact location of it's findings, we could deal with it...but it does not. If you want to do some more detailed scans of your system to search for the entries we can, but it's been my experience that it will in all likelihood be fruitless. I don't see any Virtumonde file entries in HJT or in the Panda log.

As far as the CDROM problem, I'm certainly not a hardware expert by any means..but if we finish here and you are still having problems with it I would recommend that you use G2G's most excellent Harware Forum where someone more knowledgable can possibly help.

Since there are a few problems left that you are having, let's do a few things to check if they find anything:

1. Navigate to this file using Windows Explorer:

C:\Documents and Settings\Daniel\Desktop\HijackThis.exe

and rename HijackThis.exe to something else...like analyzethis.exe. Then run analyzethis.exe and post another the 'HJT' logfile for me to look at...sometimes Vundo can 'hide' from HJT and renaming the .exe file can make it appear.

2. Let's look at a WinPFind log:

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

I'm not sure either of these will show much, but let's take a look see....
  • 0

Advertisements

#11
TheAesthetic
Posted 05 September 2006 - 06:50 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Yes for the most part its secure sites and few random stray ones that are probably secure but i just dont realize it.
anyway we did try a few things last time you helped me and i appreciated it, its probably just not meant to be.
thank you very much for all your help so far! I will probably head over to the hardware section after everything is settled here (assuming my latest scans showed nothing of concern.
If the virtumonde isnt doing anything or its just a marketing plot. no harm. no problem.
without further adeiu here are the last two scans!


Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:42 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\NkView6\Nikon Editor\NkvEdit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daniel\Desktop\analyzethis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127102990874
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/5/2006 8:34:21 PM
WinPFind v1.5.0 Folder = C:\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
FSG! 8/26/2006 8:07:56 PM 58780 C:\WINDOWS\4716363178.exe ()

Checking %System% folder...
PEC2 3/19/2004 6:35:10 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC ()
UPX! 11/24/2001 1:31:48 PM 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax (Fraunhofer)
UPX! 11/24/2001 1:28:14 PM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax (Fraunhofer)
PTech 1/12/2006 12:32:12 PM 543496 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft® Corporation)
WSUD 8/4/2004 3:56:54 AM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 11/25/2005 5:48:28 PM 40960 C:\WINDOWS\SYSTEM32\swsc.exe ()
winsync 3/19/2004 6:44:18 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU ()

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/5/2006 8:33:14 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT ()
8/15/2006 6:17:30 PM HS 7168 C:\WINDOWS\Thumbs.db ()
9/5/2006 8:33:04 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG ()
9/5/2006 8:33:32 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG ()
9/5/2006 8:33:16 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG ()
9/5/2006 8:33:34 PM H 61440 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG ()
9/5/2006 8:33:22 PM H 1089536 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG ()
8/27/2006 5:14:24 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\89fde409-cb02-4848-a8ab-2fc164158de1 ()
8/27/2006 5:14:24 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred ()
9/5/2006 8:31:24 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
9/1/2006 3:47:02 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()
9/1/2006 3:47:02 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()
9/1/2006 3:47:02 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4TI7G16B\desktop.ini ()
9/1/2006 3:47:02 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GDA381AJ\desktop.ini ()
9/1/2006 3:47:02 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KTIJKX2N\desktop.ini ()
9/1/2006 3:47:02 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\W5MJKX2F\desktop.ini ()

Checking for CPL files...
5/25/2004 12:06:58 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl ()
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
12/15/2003 1:09:34 PM 24576 C:\WINDOWS\SYSTEM32\BACSCPL.cpl ()
2/20/2004 5:13:54 PM 958464 C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL (Dell Computer Corporation)
10/7/2003 2:39:00 PM 184320 C:\WINDOWS\SYSTEM32\bdeadmin.cpl (Borland Software Corporation)
4/8/2004 11:24:48 PM 262203 C:\WINDOWS\SYSTEM32\btcpl.cpl (WIDCOMM, Inc.)
8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
3/19/2004 6:38:44 PM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL (Microsoft Corporation)
8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
3/19/2004 6:40:24 PM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL (Microsoft Corporation)
8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
3/19/2004 6:41:00 PM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL (Microsoft Corporation)
8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/26/2004 7:32:48 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl (RealNetworks, Inc.)
10/29/2003 10:40:22 AM 102481 C:\WINDOWS\SYSTEM32\stac97.cpl (SigmaTel Inc.)
8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
3/19/2004 6:43:36 PM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL (Microsoft Corporation)
8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft....k/?linkid=48835
{33564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...922/wmv9VCM.CAB
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.micros...b?1127102990874
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.ma...ent/swflash.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/27/2006 9:34:24 PM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ()
3/20/2004 1:58:38 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI ()
3/1/2006 7:19:06 PM 1567 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
3/20/2004 1:50:30 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI ()
7/3/2006 3:57:00 PM 1356 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
3/20/2004 1:58:38 PM HS 84 C:\Documents and Settings\Daniel\Start Menu\Programs\Startup\DESKTOP.INI ()

Checking files in %USERPROFILE%\Application Data folder...
3/20/2004 1:50:30 PM HS 62 C:\Documents and Settings\Daniel\Application Data\DESKTOP.INI ()
9/16/2004 6:16:12 PM 12358 C:\Documents and Settings\Daniel\Application Data\PFP120JCM.{PB ()
9/16/2004 6:16:12 PM 61678 C:\Documents and Settings\Daniel\Application Data\PFP120JPR.{PB ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.google.com/
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.google.com
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://www.google.com/ie


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
\{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar1.dll (Google Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll ()
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Web assistant = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll ()
\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)
\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 = Sun Java Console
\\NEXTID - 8198
\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8194 =
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8195 =
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8196 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = ()
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\PROGRA~1\AIM\aim.exe (America Online, Inc.)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{DEE12703-6333-4D4E-8F34-738C4DCC2E04} - RecordNow! SendToExt = C:\Program Files\Sonic\RecordNow!\shlext.dll ()
\\{5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess = ()
\\ - = ()
\\{6af09ec9-b429-11d4-a1fb-0090960218cb} - My Bluetooth Places = C:\WINDOWS\System32\btneighborhood.dll (WIDCOMM, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
\\{32A9D769-5B55-4a25-9A62-86B5683FE50A} - NikonView Drop Extension = C:\Program Files\Nikon\NkView6\NkvDropExt.dll (Nikon Corporation)
\\{7C9D5882-CB4A-4090-96C8-430BFE8B795B} - Webroot Spy Sweeper Context Menu Integration = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll ()
\\{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} - TrojanHunter Menu Shell Extension = C:\PROGRA~1\TROJAN~1.5\contmenu.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\ewido - {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll (ewido networks)
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll ()
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll ()
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]
\SpySweeper - {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido - {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll (ewido networks)
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll ()
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\SpySweeper - {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll ()
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll ()
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll ()
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
THGuard - C:\Program Files\TrojanHunter 4.5\THGuard.exe (Mischel Internet Security)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM - C:\PROGRA~1\AIM\aim.exe -cnetwait.odl ()
Sonic RecordNow! - Reg Data missing or invalid ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Daniel\Start Menu\Programs\Startup\DESKTOP.INI ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
WANMiniportService 2
WLTRYSVC 2
iPodService 3
btwdins 2
Ati HotKey Poller 2
AOL ACS 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 9.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup C:\WINDOWS\pss\BTTray.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Dell\BLUETO~1\BTTray.exe
item BTTray

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Apoint
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Apoint
hkey HKLM
command C:\Program Files\Apoint\Apoint.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCMSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BCMSMMSG
hkey HKLM
command BCMSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DellSupport
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSAgnt
hkey HKCU
command "C:\Program Files\Dell Support\DSAgnt.exe" /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dla
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MaxtorOneTouch
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item OneTouch
hkey HKLM
command C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoneyAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mnyexpr
hkey HKCU
command "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCMService
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PCMService
hkey HKLM
command "C:\Program Files\Dell\Media Experience\PCMService.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdateManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\URLLSTCK.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UrlLstCk
hkey HKLM
command C:\Program Files\Norton Internet Security\UrlLstCk.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{54D9498B-CF93-414F-8984-8CE7FDE0D391} - CShellExecuteHookImpl Object = C:\Program Files\ewido\security suite\shellhook.dll ()
\\{9EF34FF2-3396-4527-9D27-04C8C1C67806} - Microsoft.AntiSpyware.ShellExecuteHook.1 = C:\Program Files\Microsoft AntiSpyware\shellextension.dll (Microsoft Corporation)
\\{20D57A66-F7DF-467d-907B-9B7F4A118AB7} - = ()

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\AtiExtEvent - Ati2evxx.dll = ()
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)
\WRNotifier - WRLogonNTF.dll = ()

>>> DNS Name Servers <<<
{623F43B1-0E75-415B-A254-99924F5C3F36} - ()
{A6D12148-B370-4952-B2EF-9389341507A4} - (Broadcom 440x 10/100 Integrated Controller)
{A9790981-34C5-424C-B70F-450E2CDA4D4A} - (1394 Net Adapter)
{E33A270D-D0B2-46BA-8724-F427F5B28554} - (Dell Wireless WLAN 1350 WLAN Mini-PCI Card)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000004\\LibraryPath - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


[bleep] that was a long one.
thanks alot again for your time and infinite patience!
Hope everything looks a-ok!
  • 0

#12
cfa-ddg2
Posted 05 September 2006 - 08:20 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello theAesthetic....good job with WinPFind...it is a long one!

The HJT log appears clean (except for a now-outdated Java which we will fix below).

I believe we may have found the stray Vundo entry in the registry....yay!

1. Please do this:
  • Copy the contents of the Quote Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{20D57A66-F7DF-467d-907B-9B7F4A118AB7}"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D57A66-F7DF-467d-907B-9B7F4A118AB7}]


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear the registry entries left behind by the malware.

2. Please go to:
  • start >>control panel >>add/remove programs
Find and remove these programs (if they are present)
  • Viewpoint Manager

3. Please delete these files and folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files or folders, then right-click to select them and click delete:


C:\Program Files\Viewpoint <==this folder
C:\WINDOWS\SYSTEM32\swsc.exe <==this file


4. Update Java and Remove old Java Versions
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.<== scroll down the list to find THIS entry
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Remove older Java Versions:
  • Close any programs you may have running - especially your web browser.
  • Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
Install latest Java Version:
  • From your desktop, double-click on jre-1_5_0_08-windows-i586-p to install the newest version.
5. Repeat the Panda ActiveScan and post the results...also let me know if you still have the problem accessing the mentioned webpages...I'm not giving up yet!
  • 0

#13
TheAesthetic
Posted 12 September 2006 - 02:38 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
so i deleted said files !
swsc wasnt there.

All files were deleted in other folder but one named thetamax (or something to that) could not be deleted. i accidently renamed it so i'm kinda out of luck with the actual name but its something like that or pretty close to that.

Went to update my java. i get cannot find page cannot be displayed. :-/

Not sure what to do now.
thanks for help and not giving up!
  • 0

#14
cfa-ddg2
Posted 12 September 2006 - 07:46 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts

Went to update my java. i get cannot find page cannot be displayed. :-/

Not sure what to do now.
thanks for help and not giving up!


Download the Java ( Java Runtime Environment (JRE) 5.0 Update 8) file to a removable medium such as a floppy, thumb drive, CD etc on a computer that you can access the site. Then copy the Java download from the removable media to your desktop and proceed with the instructions for updating Java.

If you'd like, you can run the Panda Scan again and see if the stray Virtumondo entry is still in the registry.


Since I cannot see any malware issues with your system (and we've been pretty thorough), if you are still having those intermettent connection problems with IE please go to this forum: G2G Applications Forum and post a new topic there outlining your problem. Tell them that you've been here and your system is clean yet you are still having IE problems. Tell them what steps you have already taken to try and correct the problem.

The experts at that forum are much more adept at dealing with problems such as yours.

Hope this helps!
  • 0

#15
TheAesthetic
Posted 13 September 2006 - 07:38 PM

TheAesthetic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ok cool! thanks. i'm pretty content with the cleanliness of my hardrive so i will thank you and bid you adieu. i would donate but alas i am a poor college student. but in the near future we shall see! thank you for all your help past and present! nothing but good things!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP