[leigh42]

I am helping a friend with his computer....and he seems to have all kinds of problems going on. His computeer..when connecting to IE automatically says that the page is unavaliable and a box pops up at the top of the screen (like when u have activex that needs to be installed) This box says "the page you are looking for is probably blocked by adware/spyware on your PC Remove it with XP Antivirus Click here) This takes him to a link that runs some kind of scan that of course finds all kind of stuff and then wants to sell him a product to remove it. I went to try and dl avg free for him and I also tried to dl hijack this, several times. Most times it just freezes up. Once it gace me a pop up box that looked like it was a message from windows....who knows if it actually was...that informed me that his computer may be infected with IEMonster.b and that we should buy yet again XP antivirus.....the download box that poped up was for xpantivirus..not for hijack this which i had clicked on. Its like not only his webpages are getting hijacked....but his downloads as well. He periodically gets a pop up again that looks like it is a windows warning that says

WINDOWS ALERT:Critical Systems Warning!
Your system is probably infected with version of Spyware.IEMonster.b Spyware.IEMonster.b is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox Outlook and other programs, including logings and passwords from online baking sessions,EBay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. Spyware.IEMonster then sends stolen passwords and other sensitive information to a php script at a pre specified website where stolen details are logged Click here to protect your computer (recommended) ok or cancel.

If you click cancel nothing happens. If you click ok it again trys to sell you this Xp Antispyware.

Previous to this he had Avg free and webroot spysweeper. He was dealing it his internet provider trying to get somehelp and was instructed to remove avg and spysweeper so that he could download their security suite. After that is whenn the problems got even worse. Prio to that i suppose he had at least some protection and once those were gone whatever malware is on his computer seems to have gotten a better hold and that was when he became unable to get any downloads to work. Prior to this he was already having popups and some redirection going on.I will try to download avg and hijack this onto a usb drive and bring it over here and see if I can get any results, but in the meantime I would be grateful for any ideas or assistance on where to start.

[Advertisements]

Hi leigh42. Let's try a different scanner and see what we can find.

Before running the scan let's clean out the temporoary folders.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not /code with brackets around it then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT

[OldTimer]

Hi leigh42. Let's try a different scanner and see what we can find.

Before running the scan let's clean out the temporoary folders.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not /code with brackets around it then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT

[leigh42]

here are the results from the scan you had me run. I ran it in safe mode as you suggested. I will be away from this computer for a bit but I will try to be back to work on it some tomorrow so no huge rush. Thanks again for your help

Leigh42

Attached Files

•  WinPFind35.Txt   139.96KB   152 downloads

[OldTimer]

Hi leigh42. A bit of a sticky wicket we've got here. Let's see if we can't get this infection to blink. Please follow the steps below in order. Try them from a normal boot and if they do not run then try them again from Safe Mode.

Avenger/VundoFix/WPF35 -

Step #1

Download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Step #2

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
VBGG
ntload
Files to delete:
%SystemRoot%\system32\svcd\svchost.exe
%SystemRoot%\system32\ntload.sys
%SystemRoot%\system32\winsrc.dll 
%SystemRoot%\system32\myyxl.dll 
%SystemRoot%\system32\wscmp.dll 
%SystemDrive%\winshth.exe
%SystemRoot%\System32\CID
%SystemRoot%\System32\everybodybets.32x32.4.ico
%SystemRoot%\System32\ieupdates.exe
%SystemRoot%\System32\Jamster.ico
%SystemRoot%\System32\myyxl.dll
%SystemRoot%\System32\ntload.sys
%SystemRoot%\System32\sex1.ico
%SystemRoot%\System32\sex2.ico
%SystemRoot%\System32\SvcNm
%SystemRoot%\System32\TmpX.exe
%SystemRoot%\System32\update32.exe
%SystemRoot%\System32\url1
%SystemRoot%\System32\url2
%SystemRoot%\System32\url3
%SystemRoot%\System32\winsrc.dll
%SystemRoot%\System32\winupdate.exe
%SystemRoot%\System32\wscmp.dll
%SystemDrive%\winshth.exe
%SystemRoot%\System32\CID
%SystemRoot%\System32\everybodybets.32x32.4.ico
%SystemRoot%\System32\ieupdates.exe
%SystemRoot%\System32\Jamster.ico
%SystemRoot%\System32\myyxl.dll
%SystemRoot%\System32\ntload.sys
%SystemRoot%\System32\sex1.ico
%SystemRoot%\System32\sex2.ico
%SystemRoot%\System32\SvcNm
%SystemRoot%\System32\TmpX.exe
%SystemRoot%\System32\update32.exe
%SystemRoot%\System32\url1
%SystemRoot%\System32\url2
%SystemRoot%\System32\url3
%SystemRoot%\System32\winsrc.dll
%SystemRoot%\System32\winupdate.exe
%SystemRoot%\System32\wscmp.dll
Folders to delete:
%SystemRoot%\System32\nGpxx01
%SystemRoot%\System32\svcd
%SystemRoot%\System32\nGpxx01
%SystemRoot%\System32\svcd

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Step #3

Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #4

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Step #5

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YY -> (VBGG) Security Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\svcd\svchost.exe
[Driver Services - Non-Microsoft Only]
YY -> (ntload) ntload v0.1 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\ntload.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN ->  -> 
YN -> EPSON Stylus CX4600 Series -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> tuvwvuu -> tuvwvuu.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {037C7B8A-151A-49E6-BAED-CC05FCB50328} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\winsrc.dll [&Research]
YN -> {549B5CA7-4A86-11D7-A4DF-000874180BB3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {6130C7E8-7727-0FAF-5162-5D00CEB98BE9} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\myyxl.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\wscmp.dll [&WinSec Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLDial.exe -> C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\America Online 9.0\waol.exe -> C:\Program Files\America Online 9.0\waol.exe [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLDial.exe -> C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YPager.exe -> C:\Program Files\Yahoo!\Messenger\YPager.exe [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\WinMX\WinMX.exe -> C:\Program Files\WinMX\WinMX.exe [C:\Program Files\WinMX\WinMX.exe:*:Enabled:WinMX Application]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\America Online 9.0\waol.exe -> C:\Program Files\America Online 9.0\waol.exe [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameHouse\CollapseCrunch\Collapse3.exe -> C:\Program Files\GameHouse\CollapseCrunch\Collapse3.exe [C:\Program Files\GameHouse\CollapseCrunch\Collapse3.exe:*:Enabled:Collapse! Crunch]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Kazaa\kazaa.exe -> C:\Program Files\Kazaa\kazaa.exe [C:\Program Files\Kazaa\kazaa.exe:*:Enabled:Kazaa Plus]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Shareaza\Shareaza.exe -> C:\Program Files\Shareaza\Shareaza.exe [C:\Program Files\Shareaza\Shareaza.exe:*:Disabled:Shareaza Ultimate File Sharing]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameHouse\BounceOut\BounceOut.exe -> C:\Program Files\GameHouse\BounceOut\BounceOut.exe [C:\Program Files\GameHouse\BounceOut\BounceOut.exe:*:Enabled:Super Bounce Out!]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameHouse\Collapse\Collapse.exe -> C:\Program Files\GameHouse\Collapse\Collapse.exe [C:\Program Files\GameHouse\Collapse\Collapse.exe:*:Enabled:Super Collapse!]
[Files/Folders - Created Within 30 days]
NY -> winshth.exe -> %SystemDrive%\winshth.exe
NY -> CID -> %SystemRoot%\System32\CID
NY -> everybodybets.32x32.4.ico -> %SystemRoot%\System32\everybodybets.32x32.4.ico
NY -> ieupdates.exe -> %SystemRoot%\System32\ieupdates.exe
NY -> Jamster.ico -> %SystemRoot%\System32\Jamster.ico
NY -> myyxl.dll -> %SystemRoot%\System32\myyxl.dll
NY -> nGpxx01 -> %SystemRoot%\System32\nGpxx01
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> ntload.sys -> %SystemRoot%\System32\ntload.sys
NY -> sex1.ico -> %SystemRoot%\System32\sex1.ico
NY -> sex2.ico -> %SystemRoot%\System32\sex2.ico
NY -> svcd -> %SystemRoot%\System32\svcd
NY -> SvcNm -> %SystemRoot%\System32\SvcNm
NY -> TmpX.exe -> %SystemRoot%\System32\TmpX.exe
NY -> update32.exe -> %SystemRoot%\System32\update32.exe
NY -> url1 -> %SystemRoot%\System32\url1
NY -> url2 -> %SystemRoot%\System32\url2
NY -> url3 -> %SystemRoot%\System32\url3
NY -> winsrc.dll -> %SystemRoot%\System32\winsrc.dll
NY -> winupdate.exe -> %SystemRoot%\System32\winupdate.exe
NY -> wscmp.dll -> %SystemRoot%\System32\wscmp.dll
NY -> W?nSxS -> %SystemRoot%\System32\WіnSxS
NY -> ?ymantec -> %SystemRoot%\System32\Ѕymantec
[Files/Folders - Modified Within 30 days]
NY -> winshth.exe -> %SystemDrive%\winshth.exe
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> CID -> %SystemRoot%\System32\CID
NY -> everybodybets.32x32.4.ico -> %SystemRoot%\System32\everybodybets.32x32.4.ico
NY -> ieupdates.exe -> %SystemRoot%\System32\ieupdates.exe
NY -> Jamster.ico -> %SystemRoot%\System32\Jamster.ico
NY -> myyxl.dll -> %SystemRoot%\System32\myyxl.dll
NY -> nGpxx01 -> %SystemRoot%\System32\nGpxx01
NY -> ntload.sys -> %SystemRoot%\System32\ntload.sys
NY -> sex1.ico -> %SystemRoot%\System32\sex1.ico
NY -> sex2.ico -> %SystemRoot%\System32\sex2.ico
NY -> svcd -> %SystemRoot%\System32\svcd
NY -> SvcNm -> %SystemRoot%\System32\SvcNm
NY -> TmpX.exe -> %SystemRoot%\System32\TmpX.exe
NY -> update32.exe -> %SystemRoot%\System32\update32.exe
NY -> url1 -> %SystemRoot%\System32\url1
NY -> url2 -> %SystemRoot%\System32\url2
NY -> url3 -> %SystemRoot%\System32\url3
NY -> winsrc.dll -> %SystemRoot%\System32\winsrc.dll
NY -> winupdate.exe -> %SystemRoot%\System32\winupdate.exe
NY -> wscmp.dll -> %SystemRoot%\System32\wscmp.dll
NY -> W?nSxS -> %SystemRoot%\System32\WіnSxS
NY -> ?ymantec -> %SystemRoot%\System32\Ѕymantec
[Extra Files]
purity
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Step #6

Run a new WinPFind35u scan with the following options:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
• In the Driver Services section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • 
    File - Additional Folder Scans
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #7

Post the following back here:
The Avenger report (c:\Avenger.txt)
The VundoFix log
The latest WinPFind35u fix log (look in the WinPFind35u folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
The new WinPFind35u scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

[leigh42]

Hello again Old Timer,

I have had very little luck with this machine. I managed to get avenger downloaded and tried to run it in safe mode. I am attaching the file it created but it seems to me it didn't work. I then tried in safe mode. When it rebooted I had two black command boxes and over them I had the following message box:

Windows-No Disk
There is no disk in the drive. Please insert a disk into the drive. Cancel Try Again or Continue

None of the options would work....I have no idea why it is prompting me for a disk.

The command boxes said the following:

1st box

C:\avenger\1.reg
C:\avenger\2.reg
1 File(s) copied
zip warning C:backup.zip not found or empty
adding:avenger/avenger.text (188 bytes security) (deflated 77%)
adding :avenger/avenger.text (188 bytes security) (deflated 83%)


2nd box

C:avenger\2.reg
Could not find C:avenger\*.reg
The system cannot find the file specified
1 File Copied
zip warning: name not matched: C:\avenger\*
the system cannot find the file specified


a second file was created and I will attach it but again it seems to have not to have worked. It is just a list of errors.....Let me know if you have any other ideas
I have no idea if this is any help at all.........

Also I managed to get avg back onto this computer and have it scanning now. I will let you know what it finds.....

Attached Files

•  avenger.txt   588bytes   136 downloads
•  avenger2.txt   582bytes   124 downloads

Edited by leigh42, 15 February 2008 - 12:19 PM.

[OldTimer]

Hi leigh42. Skip that and just run the other two then (vundofix and winpfind35). I doubt that thye will work either if avenger couldn't run but let's try them. This machine has quite a hefty infection and we might need to go in and delete the files manually through recovery console.

Cheers.

OT

[leigh42]

Old Timer...

Here are the results from avg...my friend called with them once he got home. I will go over there and run the other 2 scans on monday and let you know the results. Again, thanks for your help. AVG found 7 threats:


C:/windows/system32/ymante~1spool32.exe
the details from this say: trojan downloader purity scan.z

C:/windows/system32/ieupdates.exe
details:trojan horse SHeur.YJU

C:/documentsandsettings/owner/local settings/temp/winusnet.exe
details:trojan downloader purityscan.AC

4th one is the same as the second

C:/windows/system32/NTload.sys
details:trojan horse generic5.cvg

C:/windows/system32/update32.exe
details:trojan horse SHeur.YJU

C:/windows/system32/?YMANTEC/spool32.exe
details:trojan downloader purityscan.z


I hope all that information is correct. He was reading it all off to me on the phone. He says that avg deleted all of those but I seriously doubt it has really fixed anything. Like I said I will be back over monday and will see what else I can do


Thanks,
Leigh42

[leigh42]

hello again,

Here are what little results I have managed to get this time. I ran vundo fix...it found several files and removed all but one. The one it could not remove is listed at the end of the txt file. I also tried to run the WinPFind35u fix you gave me. It said it was running fix but once again the program went not responding and I had to reboot. I can try again if you would like. I am posting the .txt file from vundofix as well as a fresh hijack this log. Since getting avg back on this machine it is running much better, but avg is still finding threats everytime it scans (although not nearly as much as it was). Also every time i reboot I am gettnig error messages from avenger and the command prompt boxes. Should I delete the avenger stuff from this machine since it doesn't seem to be helping any? Let me know what you think our next step should be.

Thanks a bunch!
leigh42


Here is the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:09 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrModule\QdrModule12.exe
C:\WINDOWS\system32\W?nSxS\m?hta.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} - C:\WINDOWS\system32\pmnnkhh.dll
O2 - BHO: (no name) - {3434C6B9-2277-0FA1-0262-5D00CEB9DCEA} - C:\WINDOWS\system32\dkzcht.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [vtivddte] C:\yhswgpki.bat
O4 - HKLM\..\Run: [gbuxkhgq] C:\gpbayees.bat
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hubdmckq] C:\xntamjdi.bat
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /M "Stylus CX4600" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKCU\..\Run: [Abhfsnh] C:\WINDOWS\system32\W?nSxS\m?hta.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.c...loaderProj1.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9256 bytes

Attached Files

•  VundoFix.txt   2.52KB   131 downloads

[OldTimer]

Hi leigh42. I need a new scan from WinPFind35 (use the original options). HijackThis won't show anything. If WPF35 froze it just means that the infection is still active and I'll need to see what and where it is.

Cheers.

OT

[leigh42]

Here is the new scan from WinPFind35. It actually worked this time!! I take that as a somewhat good sign.

Attached Files

•  WinPFind35.Txt   195.2KB   112 downloads

[OldTimer]

Hi leigh42. Ok, let's go thorugh it again.

Step #1

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%ProgramFiles%\QdrModule\QdrModule12.exe
%ProgramFiles%\QdrPack\QdrPack12.exe
%SystemDrive%\avexport.bat
%SystemDrive%\backup.reg
%SystemDrive%\gpbayees.bat
%SystemDrive%\reboot.bat
%SystemDrive%\reboot.exe
%SystemDrive%\xntamjdi.bat
%SystemDrive%\yhswgpki.bat
%SystemDrive%\zip.exe
%SystemRoot%\System32\dkzcht.dll
%SystemRoot%\system32\dkzcht.dll 
%SystemRoot%\System32\drivers\dhenfqbo.sys
%SystemRoot%\System32\drivers\ndisnies.sys
%SystemRoot%\System32\drivers\oenvphwh.sys
%SystemRoot%\System32\pmnnkhh.dll
%SystemRoot%\system32\pmnnkhh.dll 
%SystemRoot%\System32\sex3.ico
%SystemRoot%\System32\sex4.ico
%SystemRoot%\System32\sex5.ico
%SystemRoot%\system32\wscmp.dll 
%SystemRoot%\system32\WіnSxS\mѕhta.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
Folders to delete:
%SystemRoot%\System32\WіnSxS
%SystemRoot%\System32\Ѕymantec

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> qdrmodule12.exe -> %ProgramFiles%\QdrModule\QdrModule12.exe
YY -> mѕhta.exe -> %SystemRoot%\system32\WіnSxS\mѕhta.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> gbuxkhgq -> %SystemDrive%\gpbayees.bat
YY -> hubdmckq -> %SystemDrive%\xntamjdi.bat
YY -> vtivddte -> %SystemDrive%\yhswgpki.bat
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Abhfsnh -> %SystemRoot%\system32\WіnSxS\mѕhta.exe
YN -> EPSON Stylus CX4600 Series -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
YY -> QdrModule12 -> %ProgramFiles%\QdrModule\QdrModule12.exe
YY -> QdrPack12 -> %ProgramFiles%\QdrPack\QdrPack12.exe
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\pmnnkhh.dll []
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: SearchURL\\ -> http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com[{682DF67D-EE85-46E6-8446-ACFF0C62FBFF}]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\pmnnkhh.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {3434C6B9-2277-0FA1-0262-5D00CEB9DCEA} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\dkzcht.dll [Reg Error: Value  does not exist or could not be read.]
NY -> {549B5CA7-4A86-11D7-A4DF-000874180BB3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
NY -> {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\wscmp.dll [&WinSec Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
NY -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
NY -> WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
NY -> CmdMapping: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
NY -> CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLDial.exe -> C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\America Online 9.0\waol.exe -> C:\Program Files\America Online 9.0\waol.exe [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\ACS\AOLDial.exe -> C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YPager.exe -> C:\Program Files\Yahoo!\Messenger\YPager.exe [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\WinMX\WinMX.exe -> C:\Program Files\WinMX\WinMX.exe [C:\Program Files\WinMX\WinMX.exe:*:Enabled:WinMX Application]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\America Online 9.0\waol.exe -> C:\Program Files\America Online 9.0\waol.exe [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameHouse\CollapseCrunch\Collapse3.exe -> C:\Program Files\GameHouse\CollapseCrunch\Collapse3.exe [C:\Program Files\GameHouse\CollapseCrunch\Collapse3.exe:*:Enabled:Collapse! Crunch]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Kazaa\kazaa.exe -> C:\Program Files\Kazaa\kazaa.exe [C:\Program Files\Kazaa\kazaa.exe:*:Enabled:Kazaa Plus]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Shareaza\Shareaza.exe -> C:\Program Files\Shareaza\Shareaza.exe [C:\Program Files\Shareaza\Shareaza.exe:*:Disabled:Shareaza Ultimate File Sharing]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameHouse\BounceOut\BounceOut.exe -> C:\Program Files\GameHouse\BounceOut\BounceOut.exe [C:\Program Files\GameHouse\BounceOut\BounceOut.exe:*:Enabled:Super Bounce Out!]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameHouse\Collapse\Collapse.exe -> C:\Program Files\GameHouse\Collapse\Collapse.exe [C:\Program Files\GameHouse\Collapse\Collapse.exe:*:Enabled:Super Collapse!]
[Files/Folders - Created Within 30 days]
NY -> avexport.bat -> %SystemDrive%\avexport.bat
NY -> reboot.bat -> %SystemDrive%\reboot.bat
NY -> reboot.exe -> %SystemDrive%\reboot.exe
NY -> xntamjdi.bat -> %SystemDrive%\xntamjdi.bat
NY -> yhswgpki.bat -> %SystemDrive%\yhswgpki.bat
NY -> zip.exe -> %SystemDrive%\zip.exe
NY -> dhenfqbo.sys -> %SystemRoot%\System32\drivers\dhenfqbo.sys
NY -> ndisnies.sys -> %SystemRoot%\System32\drivers\ndisnies.sys
NY -> oenvphwh.sys -> %SystemRoot%\System32\drivers\oenvphwh.sys
NY -> dkzcht.dll -> %SystemRoot%\System32\dkzcht.dll
NY -> pmnnkhh.dll -> %SystemRoot%\System32\pmnnkhh.dll
NY -> sex3.ico -> %SystemRoot%\System32\sex3.ico
NY -> sex4.ico -> %SystemRoot%\System32\sex4.ico
NY -> sex5.ico -> %SystemRoot%\System32\sex5.ico
NY -> W?nSxS -> %SystemRoot%\System32\WіnSxS
NY -> ?ymantec -> %SystemRoot%\System32\Ѕymantec
[Files/Folders - Modified Within 30 days]
NY -> avexport.bat -> %SystemDrive%\avexport.bat
NY -> backup.reg -> %SystemDrive%\backup.reg
NY -> gpbayees.bat -> %SystemDrive%\gpbayees.bat
NY -> reboot.bat -> %SystemDrive%\reboot.bat
NY -> reboot.exe -> %SystemDrive%\reboot.exe
NY -> xntamjdi.bat -> %SystemDrive%\xntamjdi.bat
NY -> yhswgpki.bat -> %SystemDrive%\yhswgpki.bat
NY -> zip.exe -> %SystemDrive%\zip.exe
NY -> dhenfqbo.sys -> %SystemRoot%\System32\drivers\dhenfqbo.sys
NY -> ndisnies.sys -> %SystemRoot%\System32\drivers\ndisnies.sys
NY -> oenvphwh.sys -> %SystemRoot%\System32\drivers\oenvphwh.sys
NY -> dkzcht.dll -> %SystemRoot%\System32\dkzcht.dll
NY -> pmnnkhh.dll -> %SystemRoot%\System32\pmnnkhh.dll
NY -> sex3.ico -> %SystemRoot%\System32\sex3.ico
NY -> sex4.ico -> %SystemRoot%\System32\sex4.ico
NY -> sex5.ico -> %SystemRoot%\System32\sex5.ico
NY -> W?nSxS -> %SystemRoot%\System32\WіnSxS
NY -> ?ymantec -> %SystemRoot%\System32\Ѕymantec
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Extra Files]
%SystemRoot%\system32\W?nSxS\
%ProgramFiles%\QdrModule\
%ProgramFiles%\QdrPack\
Purity
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

Step #4

Run a new WinPFind35u scan with the following options:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
• In the Driver Services section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • 
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #5

Post the following back here:
The Avenger report (c:\Avenger.txt)
The latest WinPFind35u fix log (look in the WinPFind35u folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
The new WinPFind35u scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

[leigh42]

hello again,

Here are what results I got this time. I ran avenger and I am not 100% that it did what it should have but I did get a .txt file this time with some results so I am attaching it. I then tried to run the WinPFind35u fix that you gave me and the program again went not responding. I then ran the F-Secure online scan as you instructed. It found 57 spyware and 2 virus. I am attaching the file it generated. I then ran the WinPFind35u scan again. The scan works fine and I got another log for you. Not sure why the scan will work but not the script you had me input. Also I am still having problems on reboot. Everytime I reboot I get an error that says :
Windows-No Disk
There is no disk in the drive. Please insert a disk into the drive. Cancel Try again or Continue

It wont actually let me do any of thoes options. Behind that error box are 2 command prompt windows that say:

The system cannot find the path specified.
The system cannot find the file specified.
The system cannot find the path specified.
The system cannot find the file specified.

Both boxes say that.
I am able to close out the command prompt boxes and then close out the error. Don't know if thats any help at all or if it is even relevant, but there you go.

I hope that this will give you something to go on. Let me know what you think my next step will be and thanks for your help.

leigh42

Attached Files

•  WinPFind35.Txt   150.19KB   113 downloads
•  avenger.txt   10.79KB   107 downloads
•  Fsecure_scan.txt   3.5KB   137 downloads

Edited by leigh42, 21 February 2008 - 12:37 PM.

[OldTimer]

Hi leigh42. Looking better. A couple of things. Everytime the machine is rebooted it will change the names of the infected files. Do not reboot unless one of the tools requests it. The machine should also be disconnected from the Internet to prevent contact with it. Lastly, do not attach the logs because they are unreadable. Copy/paste them into the response.

Now, let's try again.

Step #1

Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%SystemDrive%\aumvxgyy.bat
%SystemDrive%\gdjkgbrr.bat
%SystemRoot%\System32\drivers\cuudbcdq.sys
%SystemRoot%\System32\drivers\cvsghbck.sys
%SystemRoot%\System32\gebyaby.dll
%SystemRoot%\system32\wvutqpn.dll
%SystemRoot%\system32\wvutqpn.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> adgbptbl -> %SystemDrive%\gdjkgbrr.bat
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {D85530E8-D39D-49D0-9F36-300D594556D2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\wvutqpn.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> wvutqpn -> %SystemRoot%\system32\wvutqpn.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {D85530E8-D39D-49D0-9F36-300D594556D2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\wvutqpn.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> aumvxgyy.bat -> %SystemDrive%\aumvxgyy.bat
NY -> gdjkgbrr.bat -> %SystemDrive%\gdjkgbrr.bat
NY -> cuudbcdq.sys -> %SystemRoot%\System32\drivers\cuudbcdq.sys
NY -> cvsghbck.sys -> %SystemRoot%\System32\drivers\cvsghbck.sys
NY -> gebyaby.dll -> %SystemRoot%\System32\gebyaby.dll
NY -> wvutqpn.dll -> %SystemRoot%\System32\wvutqpn.dll
NY -> W?nSxS -> %SystemRoot%\System32\WіnSxS
NY -> ?ymantec -> %SystemRoot%\System32\Ѕymantec
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> s?mbols -> %CommonProgramFiles%\sуmbols
[Files/Folders - Modified Within 30 days]
NY -> aumvxgyy.bat -> %SystemDrive%\aumvxgyy.bat
NY -> gdjkgbrr.bat -> %SystemDrive%\gdjkgbrr.bat
NY -> cuudbcdq.sys -> %SystemRoot%\System32\drivers\cuudbcdq.sys
NY -> cvsghbck.sys -> %SystemRoot%\System32\drivers\cvsghbck.sys
NY -> gebyaby.dll -> %SystemRoot%\System32\gebyaby.dll
NY -> wvutqpn.dll -> %SystemRoot%\System32\wvutqpn.dll
NY -> W?nSxS -> %SystemRoot%\System32\WіnSxS
NY -> ?ymantec -> %SystemRoot%\System32\Ѕymantec
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

Step #4

Run a new WinPFind35u scan with the following options:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
• In the Driver Services section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • 
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #5

Post the following back here:
The Avenger report (c:\Avenger.txt)
The latest WinPFind35u fix log (look in the WinPFind35u folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
The new WinPFind35u scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

[leigh42]

hello again,

Here are some results for you. I ran the avenger fix that you gave me. I am posting the log. When it rebooted (per the tool) I again got the error message that "There is no disk in the drive. Please insert a disk into the drive." I got a black command prompt box behind that and it listed a bunch of stuff I hadn't seen before. I wrote it all down if you would like to know what it said. I then tried to run the WinPfind35u fix gthat you gave me and again the program went not responding. I looked in the moved files folder that you said the log would be and there is a folder with the mmddyyyy_hhmmss formatbut it is a folder not a file. There are some other things in that folder but no log. Not sure if that is any help or not. I then ran the F Secure scan and I am posting the results. I then ran a new WinPFind35u scan and will post those results as well. I just posted all the logs except the WinPFind35U scan log. It is too big and all of it didn't fit. I am going to try it as its own post and if that doesnt work then I will have to upload it as an attachment. I wasn't sure if you meant that none of the attachments were readable or just one particular one. If you would prefer any of these as attachments let me know and I can do that. Let me know if you need anything else.

Thanks,
leigh42

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dfwgbrtb

*******************

Script file located at: \??\C:\hwtafeid.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\aumvxgyy.bat deleted successfully.
File C:\gdjkgbrr.bat deleted successfully.
File C:\WINDOWS\System32\drivers\cuudbcdq.sys deleted successfully.
File C:\WINDOWS\System32\drivers\cvsghbck.sys deleted successfully.
File C:\WINDOWS\System32\gebyaby.dll deleted successfully.


File C:\WINDOWS\system32\wvutqpn.dll not found!
Deletion of file C:\WINDOWS\system32\wvutqpn.dll failed!

Could not process line:
C:\WINDOWS\system32\wvutqpn.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wvutqpn.dll not found!
Deletion of file C:\WINDOWS\system32\wvutqpn.dll failed!

Could not process line:
C:\WINDOWS\system32\wvutqpn.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Scanning Report
Monday, February 25, 2008 15:10:35 - 16:58:02
Computer name: YOUR-05951D9DC8
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 43 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
W32/DLoader.FNRE (virus)
C:\RECYCLER\S-1-5-21-3884534231-1141367066-3325242509-1003\DC9\WINPFIND35U.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 36165
System: 4311
Not scanned: 11
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 42
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\AWTSS.DLL
C:\WINDOWS\SYSTEM32\DDCCY.DLL
C:\WINDOWS\SYSTEM32\GEEDD.DLL
C:\WINDOWS\SYSTEM32\MLJGH.DLL
C:\WINDOWS\SYSTEM32\VTSTU.DLL
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\F7Z9S2LD\CAKPUFEF
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\F7Z9S2LD\CARUI5VN
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CP2FGTUJ\CA1KS759

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2008-02-25
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2008-02-13
F-Secure Libra: 2.4.2, 2008-02-21
F-Secure Orion: 1.2.37, 2008-02-25
F-Secure Pegasus: 1.20.0, 2008-01-20
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXJPG SWF
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Edited by leigh42, 25 February 2008 - 04:29 PM.

[leigh42]

Here is the WinPfind35u scan log. It was too big to post so I had to upload it as an attachment.

Attached Files

•  WinPFind35.Txt   138.56KB   110 downloads

Edited by leigh42, 25 February 2008 - 04:32 PM.